Skip to main content

Cybersecurity: Shifting the paradigm from prevention to incident response

(Image credit: Image Credit: Den Rise / Shutterstock)

Cybercrime will cost more than $6 trillion annually by 2021, according to an estimation by Cybersecurity Ventures. Data is the target and Microsoft predicts that by 2020, data volumes online will be 50 times greater than today. The numbers of attacks are mindboggling, and it is humanly impossible to defend against every unknown threat hurled at companies every minute.  

For decades, organizations have focused their budget and resources on technologies like firewalls, anti-virus, intrusion prevention (IPS), and security information and event management (SIEMs) intended to detect and prevent security incidents. Based on current levels of complexity and the increasing threat surfaces driven by mobile and IoT, legacy strategies focused primarily on detection and prevention alone are no longer viable. The risks have become too high. Boards of directors and their CEOs must begin to drive an investment shift beyond just prevention-related technologies. They must recognize that breaches are inevitable. They need technology and processes that focus on risk reduction through contextual data analysis and rapid incident response.    

Measuring and Quantifying Risk 

A primary challenge organizations face is the difficulty in quantifying risk and the disconnection that exists between how risk is perceived by the boardroom and by the security operations team. The boardroom is concerned with macro-level risks to the brand such as regulatory fines, competitive disadvantage, loss of intellectual property, reputation erosion, litigation fees, insurance premium increases, and reduced customer satisfaction, while security operations typically have a narrower optic through which they look. Often security teams view risk from the perspective of silos. They consider high-value assets they want to protect, evaluate technologies to protect such assets, make a choice, implement the technology, and move on to the next challenge. This model made perfect sense when the goal was to place best-of-breed prevention in front of assets deemed worthy of protection. However, it has resulted in fragmented data silos resulting in massive volumes of disparate security-related logs and alerts.    

Data Overload and Fragmentation      

The deployment of various point security products has created the problems of data overload and fragmentation. Each point product ships with its own management interface, alert mechanism, and reporting engine. It is normal for these technologies to generate hundreds of thousands of alarms and log events per day. To make matters worse, the volume of false positive alarms is overwhelming. Consider that every point security product deployed over the last decade is generating its own set of alarms and reports, and it becomes quickly apparent this avalanche of fragmented data is impossible for a human to interpret in a meaningful way. About 10-15 years ago, in an effort to solve this problem, SIEM technology hit the scene.   

The SIEM Revolution  

SIEM manufacturers set out to eliminate the problems of massive log data volumes, security alarm overload, and high rates of false positives. SIEMs collect logs and data from multiple products and platforms. They aggregate and correlate the data to reduce false positives and deliver more reliable and prioritized security alarms. A high degree of data correlation allows for better certainty that an event is real while allowing for security event prioritization by severity. SIEMs have done a nice job over the years to provide a platform to help filter data noise and improve the accuracy of event detection, but they lack data context.     

Context Leads to Faster Time-to-Resolution and Better Incident Response  

All organizations strive to increase the speed and accuracy of event detection. Detection, however, is just the first step. Understanding that you have a problem and knowing what to do about it are two very different things. Detection simply raises the question, “Now what do I do?” After detection comes incident response. Effective incident response requires defined roles, responsibilities, and a set of initial actions (who does what). With a process of engagement outlined, the analysis of available data becomes the next critical component. This is where traditional technologies and security strategies fail. Log events generate data that provides very limited context. They indicate that something occurred, but only provide data from a single point of reference. For faster time-to-resolution, analysts require context so they can answer who, what, where, when, why, and how. They need the ability to see every conversation on the network and associate data all the way from layer 2 to layer 7. This includes source and destination IP address, username, protocol, application, web domain, SSL certificate, DNS record, etc. Context comes from the ability to stitch together, pivot on, and report against thousands of data elements relating to every network conversation and transaction.     

Flow and Metadata from the Existing Infrastructure  

The good news for organizations is that this rich data exists within the infrastructure they have already purchased and implemented. Switches, routers, firewalls, probes, hypervisors, and other components of the network infrastructure natively gather flow-related data, and have the ability to export that data via protocols like NetFlow versions 5 and 9, sFlow, J-Flow, IPFIX, etc. This flow and metadata can be centrally collected for correlation, visualization, analysis, and reporting. The key difference between a flow/metadata collector and a SIEM is the richness of data context it provides. Analyzing flow and metadata details at the beginning of an incident response process leads to faster root cause analysis. Insight into incident-related information such as timestamp, device details, and the usernames of those involved, combined with SIEM integration, enables the dynamic correlation of log-related details.         

The Paradigm Shift Is On    

Prevention and detection technologies alone have failed. Breaches are inevitable. From the boardroom to the security operation team, mindsets and investment strategies must shift to include incident response. The risks run much deeper than just the loss of data. Organizations face regulatory fines, competitive disadvantage, loss of intellectual property, reputation erosion, litigation fees, insurance premium increases, reduced customer satisfaction, and many other negative business outcomes. Reducing time-to-resolution is critical in a company’s ability to mitigate the many negative results associated with security incidents.      

Bob Noel, Director of Strategic Relationships and Marketing for Plixer

Image Credit: Den Rise / Shutterstock 

Bob Noel
Bob Noel holds the position of Director Strategic Partnerships and Marketing for Plixer. Bob has 20 years of experience in networking and associated technologies with Cisco, Cabletron, Extreme Networks, and Plexxi.