SVP, Customer Success
Feb 9, 2018
The world of security has changed. The outdated thinking of some security leaders and their security strategies represent a serious liability. A new era, defined by the recent growth in distributed applications (on-premises, cloud and mobile), an increasingly dispersed workforce, and fast-moving business priorities, has forever altered the SIEM (security information and event management) and IAM (identity and access management) landscapes.
The traditional security approach too often focused mainly on descriptive (i.e., “What happened?”) and diagnostic (“Why did it happen?”) capabilities. That kind of thinking and forensic approach is most useful for the postmortem of a breach, to help prevent similar attacks in the future. Yet with the constant evolution of IT, users accessing from anywhere in the world, at any time, with a broad range of devices being used for that access, the threats are evolving, increasing and accelerating at a breakneck speed. The old approach has become a vulnerability. New, real-time responsive security strategies must be in place to meet this challenge.
Recognizing there is simply too much data to handle with human resources, and that it will only continue to get worse, future-looking security leaders recognize that machine learning models driving analytics extracting context from big data is the force multiplier needed to face the evolving threats of today. This force multiplier should provide predictive security analytic capabilities (“What will happen?”).
Once a security leader has assessed that an advanced security analytics solution holds the promise to address this requirement with UEBA (user and entity behavior analytics) and IdA (identity analytics) capabilities, the need for prescriptive (“What are the recommended corrective actions?”) capabilities must also be taken into account. This is because as the variety, magnitude and acceleration of identity-based threats that organizations face increases, not all of an organization’s needs for unknown threat detection and access analytics are being met with the generic capabilities most UEBA solutions offer. Given that the compromise and abuse of identity is at the core of attacks and data breaches, cleaning up identity access with risk scoring down to the entitlement level is a crucial security hygiene requirement, and even more so before cloud adoption.
Add to that, IAM and SIEM solutions, by themselves, are ineffective at behavior analytics. They lack support for a wide timespan of data, advanced correlations, and support for a variety of critical data for context, including unstructured data. Also, threat hunting for unknown threats, such as insiders, compromised accounts and data exfiltration, leads to futility fatigue with IAM and SIEM queries, filters and pivots. There is simply too much data, which doubles every year. This leads organizations to adopt big data for the long-term storage of data for value at a lower cost. Yet leveraging the context of big data with behavior analytics for risk scoring to prioritize incidents for security analysts is only half of the solution. The use of bidirectional API integrations between solutions to provide risk scores on demand and collect feedback or data provides a closed-loop deployment for automated risk response. Without any human intervention required, this enables step-up multi-factor authentication (MFA) based on risk scores and reduced workloads, with dynamic access provisioning as examples. Qualified advanced security analytics vendors should offer numerous automated risk response use cases. Without them, an advanced security analytics vendor’s capabilities are incomplete. That’s an unwelcome prospect in today’s fast evolving environment where the need for real-time detection and response is growing with urgency every day.
To learn more about this topic, read the white paper: Automated Risk Response and Custom Use Cases with Advanced Security Analytics.