Cybersecurity: Lessons From the Field

The questions any company should ask when investing in an analytics solution

cyber threat crowd

If cybersecurity were a narrative, it would unfold in three acts.

The first were roadblocks such as firewalls and virus detectors, which purported to catch or dissuade thieves. Ultimately, they fell short: Crime is persistent, and its culprits are enterprising. These tools couldn’t account for the unaccounted.

Then came the SIEM, which had been pitched as a panacea that could ingest copious amounts of data, aggregating multiple logs. Ill-equipped to keep up with big data’s stunning growth spurt, SIEMs have instead become synonymous with false alerts. Security teams have been guessing which alerts warrant investigation, then instigating a pricey forensics process for details.

This has culminated brightly into analytics, automated solutions that baseline entity behavior (accounts, files, applications, machines) to locate, prioritize, and contextualize threats. If you look closely, we’re past the stage of problem-solving here, facing an expanse of stability and growth.

First-to-market products have taught us that swiftness, accuracy, and intelligence of detection greatly vary by method. Some tools have addressed the concerns with a band-aid approach; others have innovated past those limitations. Finding the latter is every enterprise’s challenge.

Today’s platform is more than a solution to an immediate problem, it’s an investment that must grow with your company. Based on feedback from customers desiring to upgrade their first-generation analytics, we’ve come up with four questions every company should ask itself while exploring a security solution.

Does It Require Thresholds?
If a product claims to use machine learning, it won’t lean on thresholds to determine anomalous behaviors. Thresholds are rigid, eliciting false positives and requiring updates based on personnel and business changes. Principled machine learning, in contrast, eliminates the need for rules. This type of analytics platform grows even more accurate, because it never stops learning.

Does Its Software Need Customization?
This involves expensive data-science expertise and software-coding. Over time, custom-built deployments require additional fees for recoding. Look for an extensible analytics engine that covers multiple use cases as a mature, out-of-the-box product—and then adds data sources and analytic models to continually expand threat coverage.

Does It Treat Use Cases Uniquely?
Applying the same analytics to different use cases has failed some companies, because threat indicators are different. Analytic models built for different data classes will account for actions at different stages of an attack (privileged escalation, reconnaissance, data-staging, and so on). This provides visibility: viewing threats from different surfaces and stages, while comparing one anomalous event to another. In one case, an Interset client connected AD, endpoint, and IP repository data for clear insight into an insider threat and account compromise.

Is It Built on Big-Data Architecture?
We’ve learned that, within a year of deployment, enterprise data loads can increase five times or more. A security platform may store data in Hadoop or offer Elasticsearch, but it must compute in spaces such as Hortonworks’ or Cloudera’s big-data environments. One of our clients, for instance, processed 15 times the amount of anticipated data in just six months. Which is to say: Big-data infrastructure is essential not only to any deployment that’s large in scale, but also to any enterprise invested in its growth.