Organizations of all sizes continue to experience data breaches – even after deploying the latest and greatest network firewalls and endpoint protection software. Last year, organizations saw an average of $3.6 million in damage costs.
With so much at stake, it raises the question of why high-profile breaches continue to occur and what can be done to mitigate the damage caused by them.
The earlier you can detect a cyber-attack, the higher the probability of preventing data breaches. So what is preventing that early detection?
Current challenges
Organizations need to embrace the pervasive deployment of breach detection systems that serve as early warning systems, however is difficult to achieve.
Most network environments today consist of a multitude of new technologies. Today, infrastructures have a mixture of public clouds, private clouds, virtual and physical systems and leverage technologies like AWS, Azure, VMWare, KVM, and Docker containers.
Gone are the days where a network infrastructure has static data centers with racks of single purpose servers: hybrid has become the new norm. With this new modern-day infrastructure, most organizations do not have pervasive visibility, primarily due to legacy security tools not working with these new technologies.
For example, if an organization has chosen to deploy Docker containers, but lacks security monitoring of these workloads, then a new blind spot would have been created and it will only be a matter of time before a hacker tries to exploit this weak link.
Many solutions in the market only collect network traffic data and as a result have a network-centric view of breaches. Consider a breach that occurs because someone gained access to user credentials on a server and executes certain commands on that server – machine learning on a network traffic dataset will obviously miss activity that is taking place on the server itself.
A solution that not only has network data but server data, user data, and application data will be better prepared to find breach events because the dataset is more complete.
In essence, the only way to stop a breach is to detect it before it progresses and causes damage. The only effective way is to collect vast amounts and types of data from every aspect of an infrastructure and automate the investigation of security events.
Information must be collected from many different sources such as networks, servers, users, and applications across a variety of environments (AWS, KVM, VMWare, Azure, Docker, etc.) and the data must be enriched (e.g. adding geo-location information and IP reputation to simple IP addresses from the log), indexed, and processed to be able to analyze things such as recon, command-and-control, and brute force activities.
To top it all off, we need to do all this much faster than today’s average breach detection time of 200 days.
The massive collection of data and plethora of potential weak links across entire networks may seem daunting. But savvy companies leveraging the right partners and tools to effectively and efficiently combine big data and the application of AI and machine learning will ultimately benefit and thrive.