If headlines fully reflect reality, the odds are rather poor that a data centre can be fully protected from a data breach. A study from Lloyd’s shows that over 90% of European companies have suffered a data breach at some point over the past five years. Even at the broadly focused World Economic Forum held early this year, cybercrime was regarded as one of the greatest threats to business around the world. In addition, according to a survey conducted at the recent IP Expo Europe, 89% of UK IT decision-makers worry about being a victim of a data breach.
Consider that the industry average for the length of time it takes an organisation to uncover a data breach is still roughly five months. That means that an internal or external attacker can work in complete stealth, methodically learning about the resources and assets available through an organisation’s network and then stealing or damaging them. Five months gives an attacker a generous amount of time—perhaps an extraordinary amount of time—to go about their business with a very high level of success. It is also reflective of the utter failure of traditional security in thwarting a breach.
The truth is that few data centres are protected from a data breach. Most companies will not be able to detect an attacker’s initial intrusion, and fewer still will be able to catch an attacker at work once he or she has gained a foothold in the network.
Why are the odds of being able to protect a data centre so poor? There are a number of important factors. First of all, the reality is that a motivated attacker will be able to get into any given network. There are far too many ways for an attacker to get in, particularly by way of compromising a user’s computer or account. Getting in is a certainty, and this is a hard notion for security professionals to accept. Gartner and most crime-fighting organisations around the world agree on this point: attackers will get in.
Most of the attempts of breaking into a network can be successfully defended—perhaps upwards of 95 or even 99 percent—but that leaves open the possibility that a dedicated attacker will find a way in through the balance. Attackers can have a nearly unlimited number of attempts of breaking in. One of them will succeed, whether it is from social engineering, guessing or brute forcing a password or through malware loaded onto a computer through a drive-by mechanism on a reputable website.
If a security team can accept that an attacker will get in, they need to accept that the challenge shifts to one of detecting an active attacker as quickly as possible. Herein lies another major issue. Few companies today have the capability to detect an active attacker on their network or in their data centre. This is why the average discovery time is so long. The reason for this lapse is multifold. First, companies are likely looking for the wrong thing. Once an attacker lands in a network, they will use various networking and administrative tools and routines to conduct reconnaissance and lateral movement. They will rarely use malware. Yet most security systems are primarily focused on malware, and they will miss the two types of activities that require the most amount of time and steps for the attacker to reach a goal.
Other security systems may have the capability of finding elements of an attacker activity, but these signals will almost certainly be buried under a flood of security alerts that are dominated by a high percentage of false positives. The probability that a security professional will find a meaningful alert is mostly a matter of sheer chance. It’s the classic “needle in the haystack” problem.
It is not uncommon for organisations to receive five hundred or a thousand daily security alerts, sometimes quite a bit more. The vast majority of these will be useless. This could be considered an issue of ‘noise’, but there is another parallel issue. The other problem is the ability to see multiple events that, alone, are not suspect, but seen together can uncover carefully orchestrated steps being used by an active attacker. Another problem is one of sorting out the legitimate use of an application or activity from one that is malicious. For instance, the use of remote access tools may play an important role in the company, but these could also be utilised by an attacker.
Solving these issues requires a major shift in the way we do security. Traditional security is based on experiencing a threat and then developing a way to identify and stop it. This approach simply does not work when it comes to a human-led attack. A new approach eschews the reactive technical artefact approach of the past. Instead, by profiling users and devices on a network and establishing a baseline of known good or normal, it is possible to see the anomalous operational behaviour of an attacker. By knowing how users and devices normally behave, attacker activities can stand out.
With traditional security, a data centre is always vulnerable to an attack. By taking a new behavioural-based approach, attackers can be caught early before they can achieve their end goal—finding and stealing or destroying valuable data in the data centre.