1 Introduction
Detecting and managing attacks on IT systems is a serious problem. Cyber criminals are using increasingly sophisticated techniques to infiltrate organizational IT systems to commit crimes including data theft, denial of service and blackmail. However, statistics show most data breaches are detected by agents outside of the organization rather than internal security tools.
Traditional perimeter security devices like firewalls, IDS (Intrusion Detections Systems) and IPS (Intrusion Prevention Systems) are widely deployed. These tools are effective at controlling certain kinds of weaknesses for known threats, patterns and signatures. They also generate alerts when suspicious events occur; however, the volume of these events is such that it is almost impossible to investigate each as they occur. While these devices remain an essential part of the defence for the agile connected business, they are not able to detect a range of threats including the use of compromised credentials, insider threats, data exfiltration, access misuse and zero-day attacks.
SIEM (Security Information and Event Management) is often promoted as a solution to these problems. However, SIEM is just a set of tools that can be configured and used to analyse event data after the fact and to produce reports for auditing and compliance purposes. While SIEM is a core security technology it has not been successful at providing actionable security intelligence in time to avert loss or damage.
External attacks now involve a complex process, often including an element of social engineering, which exploits compromised or illicit user credentials to gain access to data. This is partly because of the strength of conventional network defences against direct frontal attack, and also because the use of apparently legitimate credentials bypasses other security controls like encryption. Furthermore, insider threats continue to be a real problem and these invariably involve the misuse of access rights. For these reasons identity and access controls have become the new perimeter.
The most effective way of detecting illegitimate access to data is through the monitoring of user identity, access and activity. Even more importantly, better access governance is essential to reduce the risks of data theft. Some traditional SIEM vendors are starting to include analysis of user activity logs in their products. However, recognizing what is abnormal versus normal remains a problem. Big Data machine learning technology provides a potential solution to this by identifying identity, access and activity patterns that are common among peer groups of users.
What is needed is the integration of user identity, access and activity analysis into cyber-defence to enhance threat prediction and detection as well as to enable remedial action to be taken before damage is done. This requires techniques taken from big data infrastructure and business intelligence machine learning to analyse the massive amount and variety of data from the many sources to raise alarms only where there is a high confidence that the threat from the anomalies detected is real.
The volume of threats to IT systems, their potential impact and the challenges in discriminating between real threats and false alarms are the reasons why a new approach is needed. The need to calibrate what is normal to reduce the signal-to-noise ratio in order to detect anomalies remains a challenge and accomplishing this using bespoke rules within some tools requires considerable skill. It is important to look for a solution that can easily build on the knowledge and experience of the IT security community, vendors, and service providers. End user organizations should always opt for solutions that include managed services and pre-configured analytics, not just bare tools.