Like any other growth industry, cyber-crime has a supply chain. Attackers carefully craft their toolsets, testing them and perfecting them before launching the finished version at key targets in wealthy nations. Across the globe new strains of malware designed to bypass an enterprise’s defences in unexpected ways are constantly being invented, creating a nightmare situation for analysts working in high-value organisations. The last 24 months alone have seen numerous variations of this, with viruses such as Hummingbird, XcodeGhost and Shamoon all crossing geographies to find new prey.
In trying to defend against so many new threats, security teams risk fighting a losing battle, never able to gain the upper hand. In order to combat this problem enterprises need to rethink their security strategy, focusing less on the latest new malware and more on the internal health and readiness of the organisation. Yet doing so is not a task for humans alone. To give analysts the support and visibility they need, enterprises need to look at intelligent, automated technology.
Defending the impossible
With a virtually limitless range of threats to guard against, human analysts are simply overwhelmed. While attackers have the leisure to perfect attacks and strike whenever they like, defenders end up running from pillar to post trying to put out fires across the board. The result is a terrible mismatch: attackers only need to get lucky once for an attack to be successful, while security teams must perform flawlessly all the time. This not only means that a successful attack is inevitable given enough time, but also that analysts end up burnt-out through the fatigue caused by the continuous onslaught. By refocusing on understanding what is happening inside the organisation, analysts can escape this cycle and concentrate on knowing if and how an attacker might have infiltrated the business.
Yet even after reducing the scope from every single potential risk in the global threat landscape to those most relevant, analysts are still faced with a high-volume of issues and a complex set of challenges to manage. Think about all the activity an organisation of 5,000 people can generate in a single hour. How many emails are sent, devices used and gigabytes of data stored? Each action represents a potential risk, yet no human can possibly process the amount of data needed to spot anomalies as they occur.
What counts as normal?
Automating security analytics reduces the scale of this problem by establishing a baseline of what constitutes ‘normal’ behaviour for any device or user, monitoring for any changes or suspicious activity, and alerting analysts when something unusual occurs. This means security teams can start to focus on identifying and instantly responding to anything flagged up as suspicious rather that fire-fighting every possible alert.
Analytics reduces the workload, but any large organisation could have thousands of ‘unusual’ activities that such a system could identify. Many will not be threats at all and analysts cannot afford to spend time investigating each one in turn. To prevent detective controls from simply overwhelming analysts in new ways, enterprises need to combine automation with intelligence, machine learning and automation.
Learning to automate
Not all security alerts are equal in priority or impact. There is a world of difference, for instance, between an office worker logging on from home and a deleted file opening itself from the recycling bin. Intelligent systems, which can adapt their behaviour based on previous experience and reactions, can learn which events are most likely to represent a real risk. By doing so, they can learn which events analysts need to be warned of first, allowing far more effective prioritisation and time management.
Ultimately, investigating and solving the threat will have to be done by humans: it is unlikely that any system will be intelligent in the true AI sense, or creative enough to do so. Yet by simply allowing analysts to prioritise threats, intelligent automation grants security teams the capacity to reclaim their time. This time can then be spent on proactive steps to strengthen organisations’ defences. Even actions as simple as patching out-of-date software and replacing expiring encryption certificates can prevent some attacks, yet are easily overlooked if analysts are locked into responding to the constant stream of potential threats.
There will always be some new type of threat cooked up by malicious cyber-criminals. It took less than three days after WannaCry recently spread globally for new and different strains to emerge. A thousand security analysts couldn’t cover all the possible angles that attackers can exploit, and trying to do so is futile. Intelligent automation offers an alternative, where analysts can stop worrying about the vicious new malware strands emerging and instead devote their attention to immediate threats and improving the overall defence posture of the enterprise.