Throughout human history, we have been developing weapons and defenses in a constant cycle – from the first spears and shields to bombers and anti-aircraft guns. This mentality has carried over to the information age, and we're now locked in an escalating war of information with cyber criminals. For every new tactic they use to attack businesses, we develop a defense. The result is that we now have a complex series of defensive technologies that are being maintained by different people in different operating groups. Firewalls, anti-virus, secure gateways, data leakage protection – we've developed separate solutions to defend every point of the data stack. But this creates visibility problems, and no one person is able to keep up with everything. Often, different people within an organization manage patches, network security, application security and other aspects of security. The information we get from all of our safeguards is fragmented, and we find ourselves making decisions based on incomplete information. We have a wealth of data, but little true knowledge of how to put it to use to protect the enterprise.
SIEM and its limitations
In order to take a step back and see the whole picture of our risks, many organizations look to security information and event management (SIEM) solutions. SIEM tools can help bring together the data generated by siloed security measures to provide better visibility. But there are limitations to what SIEM can do.
While SIEM provides essential intelligence, it's event-driven, relying on incidents to generate information rather than working proactively. Moreover, when an incident does happen, it's unable to take any action, which means we still find ourselves relying on manual procedures. This increases the resource demands on IT, and potentially leaves the organization exposed if problems are not dealt with quickly enough.
Today's CISO has two main needs. The first is the ability to understand risks in the context of the business itself. This means we need complete visibility into every level of the data stack, from end to end, with the ability to bring all the resulting data together in a comprehensive way. The second need is to be able to take that complete picture and convert the information into meaningful action that will reduce these specific risks.
“ we must continue to dramatically evolve and reshape our information analysis capability...”
Current SIEM solutions help with the first need, but they don't help generate action or overcome the problem of such discrete security solutions. It's time for vendors to take note of the needs of businesses today, and offer not only comprehensive risk understanding but the ability to drive operational processes that minimize the need for manual intervention. This is particularly timely given the information eruption due to the array of security data coming at us at warp speed from all angles. We've reached a true inflection point in the security space that requires new thinking and new approaches to mature the industry to a point of operational excellence, rather than block-and-tackle defenses.
The importance of log analysis
Shedding further light on this need is a recent survey conducted by SANS. Their eighth annual "Log and Event Management Survey" reveals the increasing awareness among organizations that they need to more effectively use the information they collect in logs. In fact, the report states that 58 percent of businesses have begun to use a log manager, and 37 percent are now using SIEM software. But, with that information collected, they are becoming more aware of the limitations inherent in these solutions. The survey asked about their top challenges in integrating their logs with other IT tools, and the top three challenges stand out:
- Identifying key events
- Coordinating events from discrete sources
- Lack of ability to analyze logs
In particular, the respondents found it a challenge to use their log data to identify malware, such as advanced persistent threats, and prevent incidents – which is the most important reason for gathering the information in the first place. The survey shows that while we are making progress when it comes to logging information on our risks, we still have a ways to go in translating that information to action.
Enter business intelligence for security
As we've begun to observe that the fundamental data model behind most security technologies makes it difficult or even impossible to deal with new threats, the idea of adapting Big Data capability to security is now a topic of major discussion. Instead of normalizing and reducing data, how do we maintain its fidelity and work on enriching what the data can tells us? Further, we see more momentum around the idea of containing breaches that have already occurred and analyzing things post mortem. The thought there is to assume you've been breached, so now what do you do? This all speaks to the above challenges on log analysis. They're all valid approaches that add value, but we must continue to dramatically evolve and reshape our information analysis capability in security as a whole. The ability to manage security with greater understanding, agility and confidence is critical.
But the narrative can't only be about analyzing lots of data to better understand risk and make better decisions. It must still ultimately include protection. And that's the ultimate challenge with security today - bridging the gap between detection and protection. And not only do we need new detection technologies – see how first generation AV solutions are basically obsolete, and the stateful firewall is not long for this world – there are still script kiddies and bots that take advantage of well-known vulnerabilities. We must also continue to improve the way we operationalize our existing security infrastructure to protect against known threats.
The next step
Clearly, IT is ready to take the next step beyond simply collecting data and hoping we can somehow find a way to use it to keep ourselves safer. We need intelligent products that will take layer-specific security information to the next level and automate the response process through active mitigation. As these solutions come to market, IT will be able to stay one step ahead in the fight against cyber crime.