Today’s organizations can’t afford to rely on reactive technology if they want to stop today’s increasingly advanced threats.
By: Paul Steen, Principal Solutions Engineering, Imperva
Cybersecurity solutions often promise real-time information or real-time alerts, with the assurance that you’ll be informed the moment something malicious happens in your network. It’s easy to see the allure. The sooner you know an attack is underway, the sooner you can do something about it—and what could be faster than real-time?
Unfortunately, in today’s threat environment, “real-time” isn’t fast enough. The truth is, by the time malicious activity is detected and a real-time alert is triggered, the attack is likely already happening. That puts security teams in a reactive position, scrambling to contain the attack. While having real-time information is important, organizations can’t rely on reactive technology if they want to stop advanced attackers. Instead, organizations should focus on predictive analytics that can identify attackers before they find valuable data and stop a security incident before it occurs.
Modern attack techniques allow cybercriminals to carry out an attack faster than ever, while also disguising its signatures and making it more difficult to identify. In theory, having access to real-time information sounds effective. However, it can lead to information overload and false positives. The burden resides with the security analyst who must determine which alerts need immediate attention and which do not. By the time the alert is received, prioritized, and investigated, it may be too late to effectively contain and remediate the attack.
This invites a question: If real-time alerts aren’t enough, how can security teams better position themselves to stop today’s attacks? The answer lies in being proactive—and predictive—rather than reactive.
It’s helpful to visualize this in terms of physical security. If you only have cameras in your back office (or focused on your safe), you won’t catch the intruder until they’re already inside. That’s a problem. If an intruder is wandering around inside your facility, the security team wouldn’t wait to confront them until they try to open the safe—you’d want security to have eyes on them the moment they enter the lobby. In fact, you might want to know about this possible intruder before they enter the building. It’s important for organizations to consider cybersecurity in much the same way.
Data is king in today’s world—and modern organizations are generating that data faster than a security solution can scan it, identify it, classify it, and organize it. There is certainly value in data discovery and classification, but it’s a never-ending endeavor—and while prioritizing the “most sensitive” data can save time and give those efforts more focus, they don’t really solve the problem of timely detection and remediation.
To improve the effectiveness of their data protection capabilities, organizations often focus on the discovery, classification, and identification of what they consider sensitive information, with the ultimate goal of engaging in real-time detection and mitigation of attack activity. But today’s attackers don’t make a beeline for the organization’s crown jewels. They poke around the edges, looking for compromised accounts, misconfigurations, vulnerable databases, and other exposures that could make infiltrating the data stores easier. While it may sound counterintuitive, modern cybercriminals are often going to start by looking for your least valuable data.
As a result, organizations need to change the way they think about data protection. Rather than focusing only on high value and business critical data, AI and ML tools can monitor user and application activity across the entire data environment. These tools will quickly establish a baseline of normal activity while highlighting risky behavior within the environment. With this baseline in place, it can then easily identify when abnormal behavior occurs and flag it to security teams.
These analytics allow organizations to identify compromised or fraudulent user accounts, irregular traffic patterns, and other suspicious and damaging activity based on behavioral anomalies detected in less sensitive areas. By identifying risky behavior (which can often obfuscate malicious activity), security teams can either enact procedures to eliminate the risk or create targeted security policies to manage the risk. Predicting malicious activity using data analytics exposes attacks during the reconnaissance phase of a breach and gives ample time for organizations to eliminate the threat before adversaries get the chance to cause chaos.
Given the sprawling nature of data stores and the volume of data collected by organizations, real-time threat notifications can create alert fatigue and make it difficult to determine which threats are in need of immediate attention. Worse still, as organizations focus their attention on what they perceive as their most valuable data, real-time alerts are often too late.
In today’s threat landscape, real-time isn’t always the right time. Rather than wait until the attacker is cracking the door on the safe, organizations need to prioritize proactive and predictive solutions that can help them get ahead of attackers. By working from the outside in and using predictive analytics to secure less valuable data, organizations can better understand how attackers operate—and how to stop them.
Paul Steen is a Principal Sales Engineer at Imperva, where he helps customers solve complex application and data security challenges and associated compliance requirements. With more than 25 years of experience in the cybersecurity industry, Paul is a frequent speaker at key IT security events, such as RSA Conference, AusCert, OWASP, and AISA. Prior, Paul worked at Check Point Software and Integris Software. He holds a bachelor’s degree in education from Southern Adventist University.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solutions provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.