Is Your Security Team Being Set Up for Success?

Their endpoint-security software may be doomed to falter on its own. But it will thrive in a centralized environment.

USB memory stick flash drive

A former CIA agent, Kevin Mallory, was recently arrested on charges of spying for China. Sources report that that he compromised classified information through written notes, a device (thought to be a mobile phone), as well as possibly a memory stick.

Whether or not an enterprise is subject to international espionage, most companies are legitimately concerned about their systems’ activity related to cybercriminals most common getaway vehicles. Much of this awareness reached an apex six years back when the Ponemon Institute conducted a study which found that 70% of companies attributed a data breach to USB drive activity.

The healthcare sector, for instance, has been voicing concern for years about malicious and negligent use of memory sticks. The latest example of this type of data breach involves a life-insurance company paying $2.2 million in fines to the Department of Health and Human Services.

As a result, many companies have gravitated towards endpoint-sensor agents to nab USB-drive theft. But we’re now learning that there are holes in that strategy, too.

A recurring problem is that these endpoint agents are beholden to rules. (Rules and thresholds, as we’ve seen all-too-frequently with SIEM systems, can hinder security teams with alert overload and missed risks.) One agent may look for file attacks. Another may focus on malware. And still another may specialize in patch management. Minimizing them creates security gaps. Piling them on can complicate a company’s security posture through sluggish, convoluted detection and response protocols.

As a response, single-point vendors have been elbowed out by more advanced vendors that address multiple use cases. Still, the larger problem with endpoint-monitoring products is that by the time security teams spot data exfiltration, they’re probably pretty late in the attack vector. Experts have pointed out how the actions of Edward Snowden would’ve been far less impactful had analytics-based, insider-threat protection been deployed to protect NSA networks.

That’s why enterprises are increasingly embracing security analytics, some of which are extensible enough to integrate with other security technology. These entity-based solutions prioritize threats by looking, concurrently, at the behavior of entities (users, files, devices). This multidimensional visibility swiftly spots anomalies: if someone is unusually accessing a server, if they’re escalating log-in privileges, if they’re moving or copying data, if they’re logging-in at odd hours on different machines. When the analytics are part of a big-data platform driven by machine learning, that detection grows radically more precise.

Despite what you may hear, trashing current security investments is a hasty way to remedy any rules-based security shortcomings an enterprise may have. The software may not be invincible, but they still work. Instead, enterprises must focus on the concept of centralizing, rather than adding onto, security. Any future investments you make should always aim to maximize the value of your existing ones.