Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Your next digital security guard should be more like RoboCop

Mike Paquette, VP of Security Products, Prelert | June 5, 2015
Machine intelligence can be used to police networks and fill gaps where the available resources and capabilities of human intelligence are clearly falling short

This vendor-written tech primer has been edited to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Humans are clearly incapable of monitoring and identifying every threat on today's vast and complex networks using traditional security tools. We need to enhance human capabilities by augmenting them with machine intelligence. Mixing man and machine in some ways, similar to what OmniCorp did with RoboCop can heighten our ability to identify and stop a threat before it's too late.

The "dumb" tools that organizations rely on today are simply ineffective. There are two consistent, yet still surprising things that make this ineptitude fairly apparent. The first is the amount of time hackers have free reign within a system before being detected: eight months at Premera and P.F. Chang's, six months at Nieman Marcus, five months at Home Depot, and the list goes on.

The second surprise is the response. Everyone usually looks backwards, trying to figure out how the external actors got in. Finding the proverbial leak and plugging it is obviously important, but this approach only treats a symptom instead of curing the disease.

The disease, in this case, is the growing faction of hackers that are getting so good at what they do they can infiltrate a network and roam around freely, accessing more files and data than even most internal employees have access to. If it took months for Premera, Sony, Target and others to detect these bad actors in their networks and begin to patch the holes that let them in, how can they be sure that another group didn't find another hole? How do they know other groups aren't pilfering data right now? Today, they can't know for sure.

The typical response

Until recently, companies have really only had one option as a response to rising threats, a response that most organizations still employ. They re-harden systems, ratchet-up firewall and IDS/IPS rules and thresholds, and put stricter web proxy and VPN policies in place. But by doing this they drown their incident response teams in alerts.

Tightening policies and adding to the number of scenarios that will raise a red flag just makes the job more difficult for security teams that are already stretched thin. This causes thousands of false positives every day, making it physically impossible to investigate every one. As recent high profile attacks have proven, the deluge of alerts is helping malicious activity slip through the cracks because, even when it is "caught," nothing is being done about it.

In addition, clamping down on security rules and procedures just wastes everyone's time. By design, tighter policies will restrict access to data, and in many cases, that data is what employees need to do their jobs well. Employees and departments will start asking for the tools and information they need, wasting precious time for them and the IT/security teams that have to vet every request.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.