Insider Threats, Advanced Persistent Threats, Spear Phishing: these terms are enough to keep CISOs awake at night. In days gone by, you could identify malware, add it to a threat list and eliminate. But the new generation of security threats is much harder to find: they’re new every time and often tailored to the victim.
As a result, a new Quocirca report shows that the more visibility businesses have into these new security threats, the more concerned about them they become. ‘Master of Machines II: Conquering complexity with operational intelligence’ asked European organisations about their top technology concerns, and their ability to capture machine data. Some of the top concerns – such as down time and managing data chaos – were reduced with greater operational intelligence. The odd one out is security. Companies with higher levels of operational intelligence (the ability to draw intelligence from machine data) are actually more concerned about security threats.
Those with the maximum level of operational intelligence had an average concern rating of 3.88 for security. The average for the research was 2.58. Those with very low operational intelligence, rated security 2.09, suggesting that perhaps they have their heads in the sand.
However, while the general view applies across Europe, the national level of security focus does cause variance country-by-country. France, for instance, has the highest level of operational intelligence (2.04). That doesn’t make them the most concerned about security however, a phenomenon that exists in the UK (3.27).
So are we in a worse position?
The increased concern comes from the fact that there is more visibility and awareness of what’s actually going on. The scale and severity of the threats is more apparent; those with their heads in the sand do not have this awareness, resulting in a complacent approach to the modern threat landscape.
“There are those who’ve been hacked…and those who don’t know” – John Chambers, CEO of Cisco at the World Economic Forum
But this is the crucial benefit as well. Insider threats, spear phishers and APTs all leave anomalies in the network, through activity and communication trails happening. Companies will not detect these anomalies unless they have two things:
1 – A knowledge of what normal activity looks like
2 – The analytics to detect any variation from normal
Understanding the baseline of what’s normal is easier said than done. The whole network needs to be seen and understood in a ‘normal’ environment – and how often does that really exist?
It’s too much for one person – and difficult for many technology tools to achieve. You need every byte of log data collected together to set up that baseline. You then need to compare every byte of new information against it…in near real-time.
The nature of some threats is that they will cause small anomalies and then sit dormant in the network for weeks and months. They’re hard to spot at this point, it’s only their entrance that causes a ripple.
Additional visibility and insight also helps to protect against socially engineered attacks. If genuine user credentials have been obtained by hackers, they will look like the real thing. However, their intentions will be more malicious; at some point they will access a server, or print documents that they are not expected to or they come from a source that was not expected to. These anomalies can trigger action to tackle the “authorised” threat.
It’s a complex and changing environment of challenges. The next generation of threats, whether they come through on-the-ground social engineering or other methods such as spear phishing, are real, dangerous and difficult to pick up. Organisations need to be taking an analytics-based approach if they are to establish what ‘normal’ looks like and stand a chance at identifying the very faint fingerprints of an advanced threat.
Matthias Maier is Product Marketing Manager at Splunk