This interview is an excerpt from our recent guide, The Future of Cybersecurity, which examines 15 trends transforming the way government safeguards information and technology.
It is no longer a given that a network is safe and secure. Security professionals used to be able to sleep at night knowing their networks were virtually impenetrable. But today, adversaries have become more sophisticated, as have their tools and techniques. Motivated hackers will bypass individual security systems and break into your network. It is impossible to keep them out.
To combat those threats, many agencies are increasing the number of security tools they deploy across their network to create a layered defense strategy. While that strategy creates more alerts, Sam Harris, Director of Enterprise Risk Management at Teradata, a best-in-class analytics solutions provider, said it’s actually the wrong way to truly achieve cybersecurity with constrained resources.
“It’s a catch-22,” Harris said. “[To increase security], you get more tools. But if you have more tools, you get more alerts and many of those are false positives. As you get more alerts, that overwhelms your people, but you can’t get more people because there’s a shortage. Then you’re back at the beginning of your circle of not being secure.”
Thankfully, Harris offered an alternative strategy to secure agencies without increasing network complexity or the workload of cyber staff. “Big data analytics is the path out of that conundrum,” he said.
Before taking that path, Harris said it’s important to understand what true data analytics entails. “Many people will suggest that they are providing analytics when they’re really referring to something like summary statistics,” he said.
Instead, Teradata defines big data analytics as the ability to compile large and diverse data sets in an integrated fashion, and then apply algorithms to that data to find relationships that aren’t evident otherwise. This ability to automatically determine relationships between separate alerts is key to breaking the cycle of increasing alerts without increasing security.
Harris offered an example of how correlated alerts can make sense of the noise: “You may have an alert from your firewall… and then, maybe you receive an alert from your anti-virus software. By itself, it may not look very important, so you decide no action is required. But if you were able to see the alert from the firewall in the context of a simultaneous alert from your anti-virus software, you might think, ‘You know what, there’s a relationship here.’ Seeing the two together changes ‘Oh, that’s not very interesting to, ‘Oh my goodness, this is something that we need to take action on immediately.’”
These correlated alerts provide more information to make quick decisions. “If you can provide more contextual information, the security professional can triage [the alert] more quickly,” Harris said. “You’re creating an environment where they can actually evaluate more alerts, more quickly in a given work period.”
In addition to prioritizing alerts, data analytics can also be used to better detect intrusions within the network. “The game has changed from defending the network to keep people out, to defending the network with the understanding that some adversaries are going to get in,” Harris said. “You need to find [attackers] and kick them out before they’re able to either ex-filtrate data or damage systems.”
Data analytics allows cyber professionals to monitor and compare traffic within the network. This is the key to identifying hackers who have already breached a system.
“Today, [hackers] know how to design their malware to evade the protections from individual systems,” explained Harris. “Then they are able to enter your network and move around.”
But true analytics can monitor traffic between different tools, comparing activity at the point of entry to other parts of your network. When a mismatch occurs, analysts are alerted to a potential intrusion, even though the hacker initially entered the network undetected.
What’s more, this correlated alert is produced without adding new security tools to your infrastructure. “What happens is you actually make old, existing tools more effective,” said Harris. That means that cybersecurity professionals have fewer technologies to monitor and maintain, even as they triage more security alerts.
Finally, Harris stressed that these cybersecurity experts don’t have to be data scientists to reap the benefits of a data analytics security tool. Teradata’s platform “allows data scientists to develop and then push their algorithm into an environment, where security professional can simply pick it up, point it at a data set, and launch it.”
“What we’re talking about is bringing quantitative capabilities and applying them to the security business problem,” concluded Harris. “Big data analytics paired with security professionals can trump the concept of adding new tools that simply produce more alerts and greater false positives.”