Solving today’s Threat Challenges with a fully Automated Threat Detection and Real ... ·...
Transcript of Solving today’s Threat Challenges with a fully Automated Threat Detection and Real ... ·...
1
Seceon.com
“Most companies miss the mark when
defending against the “insider” threat, which
in many cases is not a rogue employee seeking
personal gain, but a case of compromised
credentials. In fact, 25 percent of all data
breaches are caused by compromised-
credentials (Verizon Data Breach Report
2017) and 65 percent of companies expect to
suffer a breach due to compromised
credentials in the future, according to a survey
conducted by the Cloud Security Alliance and
sponsored by Centrify."
g
c
g
c
g
“
M
o
s
t
c
Solving today’s Threat Challenges with a fully Automated Threat Detection and Real-
Time Remediation Solution
The threats faced in today’s
organizations come from all angles. In
the past a strong perimeter was
thought to be enough, however, that is
not the case today. Today’s threats are
coming from insiders even though they
are often unintentional. It has become
one of the most pressing cyber security
concerns. In 2016, the Insider Threat
Report Spotlight found 74 percent of
organizations feel vulnerable to insider
threats- “Privileged users, such as
managers with access to sensitive
information, pose the biggest insider
threat to organizations (60 percent).
This is followed by contractors and
consultants (57 percent), and regular
employees (51 percent)”
2
Evergrowing Threats: Origin and
Growth/Propagation
In many cases, the threats are coming in from BYOD and other devices that
bypass perimeter defenses, but have become infected with malware,
crimeware such as ransomware and/or other means in which an outside
entity can take control of such devices and go undetected as they connect east-
west to devices within the organization.
According to the Insider Threat Report Spotlight, 27 percent of organizations
feel they can detect a threat within hours, and only 24 percent can remediate
the problem within hours of detection. The small percentages of organizations
that do feel capable are often too late. According to Verizon’s 2016 Data
Breach Investigation Report, 81.9 percent of organizations surveyed reported
that a compromise took only minutes to infiltrate company systems, with a
majority of respondents showing that associated data was exfiltrated within
hours of the initial compromise. If a breach were to occur to organizations
with their current threat preventing techniques, there is a minimal chance
they can stop data loss.
In the end, the cost of such threats is greater than all others.
“The Insider Threat Report goes on to say that more than 75 percent of
enterprise organizations estimate breach remediation costs reach $500,000.
Twenty-five percent believe the cost exceeds $500,000 and can reach into the
millions. The challenge with today’s threats is to detect and stop the threat
before data is accessed, altered or stolen”
Organizations are slow to identify threats because they are unable to see
them. The risk builds when combined with a lack of technologies, policies and
staff. What’s needed is a better approach, one that detects and remediates in
minutes, not hours and days. Recently, there’s been a lot of buzz about using
behavioral analytics to help detect the threat. Can technologies in behavioral
3
1.
Seceon.com
analytics and machine learning detect threats quickly? Will this help to
address staff and policy limitations?
Let’s take a look at the problem more closely. For example, it is difficult for
traditional security tools to discern and detect the use of an insider’s own lost
credentials, or the use of new ones created with elevated privileges by a
knowledgeable insider. The use of “legitimate” credentials does not trigger a
threat response from the system. Considering the case where an insider loses
his/her credentials to the outside world through phishing or other means,
current defenses don’t detect if it’s an imposter accessing assets. The same can
happen when an employee or contractor is given opportunity and decides to
use his or some other created credentials to steal data. In both cases, a
behavioral approach lends itself to clearer detection.
A behavioral approach: Is it enough?
A behavioral approach alone is not enough to ensure defense against
attackers. User and Entity Behavior Analytics (UEBA) behavioral threat
detection models attempted during the course of the last 24 months tend to
only flag behavioral indicators that may be dangerous. This can raise
hundreds of false-positives on a weekly basis, which require the review of
well-trained analysts. This process is cumbersome because the analysts have
to wade through alerts and logs in order to correlate and analyze the
information. Then they have to decide if the behavior translates into a
meaningful threat, if it does the analysts determine what action to take next.
However, this approach is not feasible for 95% of organizations because they
don’t have the analysts.
Analysts at 451 Research estimate that less than 4 percent of enterprises and
government organizations have dedicated security staff in a security
operations center (SoC) to monitor all these products for possible breaches.
The small percent of organizations that do have trained analysts are too
overwhelmed with the volume of alerts and are unable to act in a timely
manner.
4
“Today’s conditions demand a
behavioral system that
automates the analysis for
teams responsible for security
and detects and prioritizes
legitimate threats as they are
happening. They also demand
immediate response to stop the
threat once detected rather
than accepting best practice in
response to be “less than one
day.”
“Most companies miss the
mark when defending against
the “insider” threat, which in
many cases is not a rogue
employee seeking personal
gain, but a case of
compromised credentials. In
fact, 22 percent of all data
breaches are caused by
compromised-credentials and
65 percent of companies
expect to suffer a breach due
to compromised credentials in
the future, according to a
survey conducted by the
Cloud Security Alliance and
sponsored by Centrify."
A March 2016 report by Enterprise Strategy
Group stated that despite having invested
significantly in information security solutions
that 75% of security professionals from the
125 surveyed ignore security incidents and
alerts, because they cannot keep up with the
suffocating volumes. A better approach is to
correlate lots of data sources and analyze those
filtered outputs. Modern SIEM solutions
attempt to do this. However, most if not all of
these solutions have not been properly
architected to deal with real-time threat
detection when there can be many (thousands
to millions) sources of data that must be
analyzed in real time. Taking a look at
traditional SIEM architectures reveals why:
Figure 1: Traditional Linear processing architecture
Figure 1: demonstrates a timely process that correlates enough data to detect
a threat before data is compromised. And in the end, it still relies on a human
to do the analysis to determine if it is an actual threat.
5
1.
Seceon.com
“Seceon is the first company to design an
advanced solution that leverages advanced
technologies such as user behavioral
analytics, machine learning and in-memory
processing for this type of data collection,
analysis and automated remediation in real-
time”
iance and sponsored by Centrify."
Machine learning demands context Some organizations have tried to use approaches solely dependent on
machine learning to accomplish behavioral protection. Initially, machine
learning provided a good way to identify patterns and relationships, but in
practical terms machine learning generates a great deal of false-positives.
Hence creating the same problem behavioral approaches do the demand of a
human analyst.
A better approach would be to use an intelligent system with rule sets and
thresholds, which are aided by machine learning. The known threat behaviors
can be tailored to appropriate behavior for the system. Correlating this allows
the system to maintain a high degree of confidence in the results before
presenting a threat, allowing analysts to see all sources of correlation before
enacting steps to remediation.
Combine behavioral analytics and machine
learning with real-time remediation
We solved the problem by architecting the platform with a patented process
to break the serial data collection and analysis-processing logjam.
Seceon’s Open Threat
Management platform(OTM)
is based on a advanced micro
services architecture. Data is
ingested and reduced down
to only the information
required to identify the type
and scope of a threat. This
information is then passed to
a second application known
as the Analytics and Policy
Engine, APE.
6
APE uses fast parallel processing architecture and ingests the
information and runs it through thousands of threat detection processes
in parallel. This allows a variety of threat detection techniques to be applied.
Output analytics generated by each process can be correlated together in many
different ways. This approach allows user, entity or organization-wide threats
such as DDoS to be detected. The advanced correlation techniques also allow
threats to be validated from multiple techniques.
Figure 2: SECEON OTM Scalable Fast Processing Architecture
This minimizes the odds of generating false-positives while providing a full scope
of an attack or threat. Best of all, this entire set of actions happens in seconds.
Utilizing another patented process the threats are evaluated by level of risk
and the system also can determine the progression of an attack. This
process also makes recommendations –depending on the type and
progress of an attack – on how to stop the threat. The system then
allows the user to perform that action by pushing a button, or opting
to have the system take automatic remediation of such threats -
useful for assuring 24x7x365 protection.
7
1.
Seceon.com
It’s like having a SoC Virtual Analyst Assistant in the box!
Benefits of Seceon’s OTM as a Fully Automated
Threat Detection and Remediation System
Easy to understand, prioritized alerts:
By automatically connecting multiple threat indicators and correlating
them in context to surface genuine threats, the OTM can help security
teams address attacks as they happen with plain English alerts. A single-
line threat alert with drill-down context enables security teams to
understand the severity of the threat easily and quickly and take action to
fix it automatically.
Fully automated threat detection for all forms of attacks:
The need for automated threat detection applies to organizations of any
size or cyber security skill level. For the Fortune 500 with significant
resources and staff already in place, automation of threat detection can
eliminate threat alert overload and enable greater efficiency for security
teams addressing attacks as they occur and ensuring the correct
remediation and reporting of the threat. For small to medium-sized
businesses with limited and/or no security analyst staff, automated
technology enables the equivalent of a virtual SoC team, giving skill- and
resource-constrained teams a chance to protect from of these threats.
Automatic threat remediation in real-time:
With faster detection must also come faster remediation! Analysts must
react quickly to stop the threat actor in his tracks. Once the threat is
revealed, the system must be intuitive and provide immediate
recommended actions to stop the threat. The OTM will allow such actions
to be taken directly from the same screen that detected the threat, allowing
for “push button,” or if desired, fully automated threat remediation. This
minimizes the effort and can easily cut the amount of time for human
response, literally down to seconds of elapsed time from the moment the
threat was detected and verified. The OTM enables a single analyst to
recognize a threat and immediately disable user credentials, or if
progressed further, isolate a user from the network before data is
8
exfiltrated from the organization. For many large organizations this will
require changes in current procedures. The reality is modern organizations
are rapidly adapting their policies and procedures to react faster,
leveraging the OTM to automatically halt the use of compromised
credentials and allow the reissue new ones to minimize the risk of data loss
and business disruption.
Policy driven:
Security and policy go hand in hand. Seceon’s OTM not only detects threats,
but can also be used to set policies, for example, providing only certain
people or groups with access to certain assets within the organization –
such as those with the most valuable data. A good system should also
recognize who accesses these resources and the typical patterns of what
they do with them, and then allow staff members to determine what
policies should be created, in essence, creating a white list that creates
protected groups and provides alerts if anyone outside the group tries to
access protected data. The Seceon OTM does this and makes suggestions
on white lists based on what it learns. In this way the OTM can address
vexing challenges—determining the right course of action to protect
information without causing undue side effects by blocking productivity of
users that regularly use these data sources.
Look to Seceon for the most effective solution on the market –
that fits any budget…….
Seceon’s OTM with its innovative approach, architecture and techniques to
detect threats and automate remediation is one of the industry’s most award-
winning platforms. Seceon’s solution is not only effective; it provides most
organizations an immediate ROI. The solution costs no more than a good
enterprise-class antivirus application, deploys in a few hours by any IT staff
member, and can detect, remediate and report threats 24x7x365 without
requiring any dedicated security analysts. The solution typically pays for itself
by reducing the number of security tools within an organization, or upon the
first threat being detected … and stopped.
Find out more at www.seceon.com