GUEST ESSAY: A case for moving beyond SIEMS, UEBAs to ‘real-time threat hunting’

By Rick Costanzo

Understanding today’s cybersecurity landscape is complex. The amount of threats aimed at enterprises is staggering. More than 230,000 new malware samples are launched every day. The average small and medium-size business experiences a cyber attack 44 times every day. And the cost of damage directly related to cybercrime is adding up, expected to reach $6 trillion by 2021, according to Cybersecurity Ventures.

Related article: SIEMs strive for a comeback

Costanzo

The painful impact of cyber attacks on businesses is worsening despite advances in technology aimed at protecting enterprises from malicious network traffic, insider threats, malware, denial of service attacks and phishing campaigns.

This has left many CISOs questioning if today’s incumbent cybersecurity solutions are enough.

Categorizing solutions

Over the past decade, cyber security solutions have evolved into specific categories of solutions.  Grouping similar items into categories serve a particular purpose. They help compartmentalize.  They help rank. They help compare.

For example, sports cars represent an entirely different category of vehicles than luxury vehicles. It is easier to compare features and capabilities of one sports car with another sports car than it is to compare a sports car with a luxury vehicle.

Categories of cybersecurity solutions, like many categories in IT, have been defined by third parties. Many vendors devote significant resources to be highly positioned in coveted reports issued by these third parties. However, the reality is many of these third parties are interested observers. They are not on the front lines fighting the cybersecurity battle.

This has left many CISOs to questions whether or not today’s cybersecurity categories are still relevant.

Categories of vehicles are somewhat easy to define. Luxury, Sports, SUVs, Minivans, Family Sedans, Pickup Trucks, Hybrid. You see a car and know what category it belongs in based on its attributes and capabilities

Similarly, cyber security solutions are anchored in two major categories based on capabilities.

Some vendors position themselves in the User and Entity Behavior Analytics (UEBA) category. UEBA aims to identify patterns and detect anomalous user behavior to identify potential security issues.

Other vendors position themselves in the Security Information and Event Management (SIEM) Category. SIEM vendors collect and analyze information on networks, devices and users to identify security threats.

UEBA vs SIEM

Striving for leadership in categories has left many vendors focused on third party accolades at the expense of arming security analysts with the tools needed to combat today’s growing list of threats. Many of these strictly defined categories are limiting in identifying and preventing today’s new crop of cyber attacks.

UEBA stops at analytics. It requires additional work to determine what happening beyond the static data taken at face value. The required additional queries are complex, and there’s an extreme shortage of skills –upwards of two million people — who are capable of taking this next step.

UEBA is similar to a family of six traveling cross country in a compact hybrid car. It may get them there, but there will be no room for luggage.

SIEMs were great five years ago for solving compliance and logging – but it’s now practically impossible to apply behavioral analytics to what they’re doing. It requires a massive architecture overhaul.

To use SIEMs to address today’s increasing list of attacks is akin to attempting to retrofit a minivan with a Ferrari engine on it.

New approach needed

CISO need to change the conversation. Existing UEBA and SIEM solutions may still serve a purpose, and investments in them should be protected. However, it has become apparent that they are no longer sufficient to protect enterprises from a growing list of threats.

CISOs need to drive the creation of a new category with the tools required to protect their enterprise. It’s the car that’s perfect for them, which may be different from what perfect for another organization.

Security analysts need proper context to hunt threats in real-time. Protection from unknown and internal threats is critical. Scalability is paramount as more devices are connecting to the enterprise. These capabilities include:

•Real-time threat hunting. Each new cyber attack is more sophisticated than the last, leaving traditional security measures unable to spot the next threat. Security analysts need the ability to view attacks as they unfold by enriching data collected from across the business with contextual and behavioral insights.

•Active learning. Tools need to become smarter and more efficient over time. Active Learning allows analysts to record feedback and apply that action to similar alerts, helping to increase threat hunting accuracy and reduce the number of false positives generated by most AI tools.

•Enterprise scale. 20.4 billion connected things are expected to be in use by 2020. More devices connected to your network makes security scalability a critical capability for enterprises as they plan today for tomorrow’s challenges.

•Contextualization. Security analysts will build on the work of AI, machine learning, and behavioral analytics by making the data more consumable and understanding risk thresholds based on context. This will help assemble and interpret the signals needed to hunt and assess threats faster and with high precision.

•Flexibility. Tools need to be installed quickly into existing environments. This includes in the cloud, on-premise, or a hybrid approach.

Security analysts need to be armed with the right tools powered by AI to tackle today’s most advanced cyber attacks. These tool are required to transition really smart threat detectives replaying how an attack took place so it can be prevented in the future to aggressive Threat Hunters capable of preventing attacks before they occur. This requires a new way of thinking a combination of AI and other new capabilities that are set apart from the stagnant categories.

(About the essayist: Rick Costanzo is the CEO of Rank Software, which supplies advanced  security intelligence and analytics platforms.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone