7 Steps to Automating Cyber Threat Detection and Analysis
Why are so many breaches continuing to occur without let up after several years of headlines? Are the attackers that smart, or are businesses not putting the proper focus on the problem?
Perhaps the best way to answer is to start with the bottom line and defining the concept of risk:
Step 1: Determining Value
Intellectual property for certain industry verticals can be extremely valuable. For these companies, it is fairly easy to look at market valuations and attribute a reasonable percentage to that value. Client and patient records are also highly valuable – for healthcare providers and insurers, HIPPA violations have fines for data loss that range up to hundreds of dollars per record. While not all industry verticals have well-established values, most organizations have the means to determine the value of such information. It often comes down to valuating data loss, in real, as well as, opportunity costs.
For the Fortune 5000, the argument can be made by reviewing recent – data – severe breaches can tally in costs to millions of dollars.
Step 2: Probability of a Breach
The next portion of the equation is the probability of breach. This is where perception and reality seem to diverge. While most businesses know there is a probability of breach, many believe that if they are not a Fortune 500 firm, the probability is lower that they will be the target of attack. This ignores several facts. First, is that most breaches are more often driven by opportunity than focus. Phishing attacks are good examples – they cast out emails by the millions looking for responses, regardless of organization size.
The Verizon Data Breach Industry Report shows there are thousands of confirmed breaches every year. The 2016 report indicates 3,141 confirmed worldwide breaches. The numbers are likely much higher as many breaches do not get reported or go undetected.
Cyber Risk Equation – Putting It All Together
Cost of Data Loss x Probability of Such Loss/Year = Yearly Cyber Risk
Example: Small healthcare provider
$500/patient record x 2000 records x 40% probability of breach = $400,000 yearly risk
As this example shows, the risk is high even for mid-sized enterprises and reaches to the millions/year for the smallest of the Fortune 5000.
Mitigating Risk of Data Loss from a Breach
We have security staff and tools already in place so aren’t we protected?
Enterprise Strategy Group recently completed research that surveyed 125 IT/cybersecurity professionals with responsibility for incident response at their organizations, and made an unsettling discovery. Even with significant investment in information security solutions, nearly 74 percent of those surveyed reported that security events/alerts are simply ignored because their teams can’t keep up with the suffocating volume.
These are organizations with SOC staff and sophisticated security equipment.
The point is, no matter how well equipped, today’s organizations are lacking the security talent and resources necessary to fight relentless, increasingly sophisticated attacks.
While many cybersecurity technology tools exist today to help the enterprise detect threats, the challenge is that they are:
- Require complex, detailed-training and sophisticated staff to leverage them effectively; and
- Even with explicit training, systems generate prolific alerts, which limited staff cannot physically analyze in a timely enough manner to stop or prevent the threats from inflicting damage.
This cybersecurity model is no longer sustainable. A holistic automated approach is required. Ideally allowing security analysts to be taken out of the detection role, and back to proactively improving the security posture of the organization.
Automating Threat Detection and analysis – The 7-step Program
Step 1: Monitor everything
The best way to protect everything is to monitor everything. Unfortunately, today’s answer is the complex, siloed approach outlined above, which makes this a human-intensive effort.
Step 2: Build a system that can automatically detect every form of attack – DDoS, brute-force, compromised credentials, malware, insider threats and APTs. You need to detect it all under one application if it’s going to be effective.
Step 3: Improve the means of detecting attacks and avoiding false positives. This requires a combination of intelligent data collection and analysis, threat modeling, machine learning and advanced correlation techniques.
Step 4: Detect the threats in real-time – within minutes as they develop. This is critical – the faster an attack is detected, the exponential decrease in data loss.
Step 5: Simplify what’s reported. One clear concise alert that gets updated is better than hundreds of messages regarding the same underlying issue.
Step 6: Send notification of critical alerts automatically via email and texts. Stop the need to continuously watch screens. Screen watching is costly and difficult to do well continuously.
Step 7: Contain the threat – automatically from within the same application. Taking action to stop the threat is the most critical step using an automated approach to detect and contain the threat.
By following these steps, threat risk can be dramatically reduced. Of course, the right system is needed to make this practical. The good news is that a new era of cybersecurity solution providers is now delivering such systems.