Analytics continues to be one of the hot buzz words in the information security space, with many users and vendors focusing efforts on the increased intelligence required to effectively defend against advanced threats that are leveraging various attack techniques and vectors. That said, analytics means many different things and can yield many different results.
For this reason we see the coming bifurcation of analytics in information security, breaking solutions into two fairly broad categories – network/system data (or content-aware) analytics and user/activity-oriented (context-aware) analytics. The latter is a new category that allows organizations to evaluate events in the context of users and their actions in relation to the overall use of sensitive information, security posture, and normal behaviors.
The complaint we hear the most from security technology and business professionals, across enterprises, is that it is too difficult for them to distinguish and separate legitimate from malicious activity.
Nowhere is this more apparent than in the area of ‘security for information' and in particular the data loss prevention (DLP) market where current content-aware DLP solutions treat the symptom, but not the cause of data breaches. To get to the root of an attack, security professionals need to be able to identify risks and potential security events based on employee activities and patterns of behavior. This empowers security teams to quickly pinpoint and even prevent potential issues, without impacting employee productivity and without having to pour over millions of incidents and events, one at a time.
Take the recent damage the United States government agencies have suffered from classified documents made public by insiders and add to that the fact that once an external attack breaches the network perimeter it becomes an insider, and you can see how this is a far-reaching problem that keeps many government agencies, large financial institutions, healthcare providers, and IP-rich organizations up at night.
In the wake of the Bradley Manning and Edward Snowden scandals, behavior monitoring becomes more and more critical for both government agencies and large organizations. Is the answer to monitor detailed activities and interactions of millions of insiders? As expert James Bamford explains: “The problem is the bigger you build the haystack, the harder it is to find the needle.” This is why you need to take a metadata based context-aware approach that allows you to isolate meaningful deviations from normal behavior. Without the proper context, the critical deviations are missed. With limited resources and the management of ever-increasing data sets, organizations cannot afford to overlook the power of applying context-aware analytics to safeguard their sensitive information.This does not mean that DLP solutions are falling down on the job; they actually provide great value. However, companies cannot afford to have their IT teams sorting through information on a case-by-case basis while insiders access sensitive corporate and customer data. Adding context to content-aware DLP solutions enables IT teams to focus on what's important: isolating, identifying and mitigating malicious insider threats.
By understanding user behavior, organizations can determine their real risk exposure, evaluate insider threats, and reduce false positives that often plague content-aware security solutions and in the process render them ineffective.With real-time context about users and their behavior throughout an incident workflow instead of after the fact, when it's too late, these organizations can act smarter and faster, often before a breach actually occurs. This affects executives, senior management, and security professionals, since they are all responsible for decisions that involve the risk to an organization, which is sure to include the mitigation of risks to its sensitive information.