Events , Incident & Breach Response , RSA Conference
Harnessing Security Intelligence
LogRhythm's Taylor-Mountford on Leveraging AnalyticsMost analyst groups say that by 2020, enterprises will be in a state of continuous compromise, the Asia Pacific region being no exception. Technologists, then, are seeking new ways to educate customers and practitioners about developing an effective breach response mechanism.
See Also: Research Survey Results Report: Evaluating Managed Security Provider Offerings in 2023
The fundamental success of a defense mechanism requires using security intelligence in the right manner, combined with the use of advanced machine analytics, says Singapore-based Bill Taylor-Mountford, vice president & general manager-APJ at LogRhythm, a security technology provider.
"Traditional methods of prevention and detection can't keep up with attackers, allowing them to access all important information," he says.
Also, the conventional threat prevention mechanism widens the time between compromise and mitigation, he says.
So, his prescription: Deploy a security intelligence platform enabling CISOs to deliver the right information at the right time, with the appropriate context, to decrease the time taken to detect and respond to damaging cyber-threats.
"Besides, user analytics and machine analytics play a key role in detecting malware or other attacks and reduce manual intervention," adds Taylor-Mountford.
In this interview with Information Security Media Group at the RSA Conference Asia Pacific & Japan held recently in Singapore, Taylor-Mountford discusses using analytics to develop a resilient threat detection model. He also discusses:
- Ways to leverage analytics in detecting breaches;
- Workforce challenges in understanding cybersecurity;
- Steps for an improved breach response model.
Taylor-Mountford is responsible for working with the APJ Security community on LogRhythm's Security Intelligence Platform. Earlier, he headed regional businesses for Acronis and Symantec. At Symantec, he led both security and storage divisions, and spoke regularly on security risks and vulnerabilities. He also sits on a regional Cyber Security Council, advising government and commercial entities.
Security intelligence
GEETHA NANDIKOTKUR: Analysts predict that in 2020, enterprise systems, including those in the AsiaPacific, will be in a state of continuous compromise. What's the best way to prevent advanced attacks from gaining a foothold into their systems?
BILL TAYLOR-MOUNTFORD: Traditionally, the average time to detect a breach was around 207 days - about seven months. So, attackers could gain a strong foothold into the systems and search for IP and other critical information. The time between compromise and mitigation is huge, owing to the conventional threat prevention mechanism. So, have a security intelligence platform used in the right manner for a resilient defence mechanism.
Just as business intelligence helps organizations clear the fog of too much of seemingly extraneous business data to find previously unknown business opportunities, security intelligence enables companies to clearly see threats. A security intelligence platform has various threat intelligence solutions combined with advanced machine analytics that help shorten their mean-time-to-detect, and mean-time-to-respond, extend the value of current security tools, and help discover previously unseen threats.
Using Analytics
NANDIKOTKUR: You emphasize using analytics in creating a resilient response model. Can you provide insights on its modus operandi?
TAYLOR-MOUNTFORD: User analytics and machine analytics play a key role in detecting malware or other attacks and reduce manual intervention. The process comprises components such as discover, qualify, investigate, mitigate and recover, which use analytics.
For instance, the discovery process requires extracting those threats that require further analysis from the mass of forensic data. There are two principal types of analytics performed for discovering threats: user analytics and machine analytics.
User analytics are "person-based" - the work of individuals who are monitoring dashboards, manually evaluating trends, patterns and behaviors and actively hunting for threats within the environment. This is based on the number of trained security staff an organization can employ. Machine-based analytics are "machine-based," delivered via software where captured forensic and event data is monitored and analyzed. Machine analytics detect threats that can only be seen via sophisticated analytic techniques, and prioritize threats detected by other technologies.
Machine-based analytics, gaining prominence in the west, should be leveraged by this region; it can help continuously and automatically surface risks and advanced threats via:
Forensic data; - Application of hybrid analytics techniques from correlation to behavioural modelling to machine learning ;
- Intelligent prioritization of threats via contextual, risk-based corroboration.
Workplace Security Challenges
NANDIKOTKUR: Are security teams clued into handling security intelligence platform or analytics?
TAYLOR-MOUNTFORD: It is a big challenge, no doubt for Asia Pacific, where teams understand less about cybersecurity. We recently came up with a workforce security study among workers and managers of cybersecurity teams across Australia, Hong Kong and Singapore. The challenge is that most workers from Singapore, almost 41 percent, kept their passwords in an unsecure place. The type of password used is similar across countries. In Australia, 19 percent use one password for everything; it's 14 percent in Hong Kong and 18 percent in Singapore, respectively. At least half of the teams in each of these countries prefer "password only" for work access. A higher proportion of Hong Kong and Singapore workers say colleagues make unauthorised access to confidential work information or data (30 percent in Hong Kong, 21 percent in Singapore, 13 percent in Australia).
Employee-related risks are seen as the greatest threat to data security. It is higher among Singapore workers. (94 percent of Singapore workers say this compared to 86 percent of Hong Kong and 72 percent of Australia). People downloading infected files or malware is seen as the greatest threat with Singapore leading with 53 percent.
Employees' lack of awareness about threats and vulnerabilities within the enterprises is the biggest challenge; security teams are unable to judiciously invest on various functions to build a breach detection and response model. Market maturity in using advanced security innovations is lacking.
Breach Response Model
NANDIKOTKUR: So, what must CISOs do to build an effective response framework?
TAYLOR-MOUNTFORD: There are about four levels that CISOs must adhere to when building an effective response model:
- Level 0: Understanding organizational characteristics with a prevention mindset with basic firewalls and understanding of risk characteristics.
- Level 1: Minimally compliant framework as CISOs deploy targeted log management and SIEM, and often have a compliance mandate driving investment, or alternatively, have identified a specific area of their environment to better protect and blind to insider threat.
- Level 2: A phase of following security compliance deploying holistic log management and broader, risk aligned server forensics. Move beyond the minimal "check box" compliance approach, seeking efficiencies and improved assurance and understand risks from extremely resilient and highly efficient compliance posture.
- Level 3: CISOs must be vigilant and enhance security intelligence capabilities around holistic server forensics, targeted network forensics, multi-vendor, commercial grade threat intelligence. Make investments in processes and people to improve the ability to detect and respond to all threats.
- Level 4: Resilient phase-building capabilities around holistic network, server and endpoint forensics and risk characterization. Use multi-vector machine analytics. Understand you are a high value target for nation-states, cyber-terrorists and organized crime, develop a resilient and efficient compliance posture and have automated response processes and countermeasures.
Most important, CISOs must build awareness, impart training and create an information sharing mechanism
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.