security
aspects. In other words, behaviour
is not uni-dimensional. Taking in all
of this detail is best accomplished
through machine learning,
otherwise it is an enormous task
and easy to get wrong.
Once a baseline of user
and device behaviour can be
established, the network should
be continuously monitored for any
significant differences or anomalies.
The undertaking does not end
there, or it will likely result in the
typical flood of security alerts that
buries most security and IT groups.
Fidelity is essential, so that only
those anomalies that are indicative
of an attack should be flagged
and issued as an alert. Traditional
security systems may alert on actual
attacker activity, but it is likely
buried under a flurry of other alerts
that are generally false positives.
Finding a meaningful alert in that
scenario is a matter of sheer luck.
Needle in the haystack
Traditional security systems
commonly produce 500 or 1,000
daily alerts, or more. Of these,
only a very small number might be
meaningful. This is essentially the
needle in the haystack problem. It
is remedied only through an alerting
system that is driven by behaviours
rather than technical artefacts, and
one that further understands an
activity as a part of an orchestrated
campaign being run by an attacker.
A major boost to accuracy is
the ability to see ‘the wood for the
trees’. A tree by itself may not yield
much significance, yet a number of
trees that all have related activities
may signal some malicious operation.
Finally, it is vital to cover the
likely attack surface. For the most
part this means looking deeply
at what users and endpoints are
doing. It is essential to see traffic
between users and data centres,
regardless of whether it is an onpremises data centre under your
own management, a private cloud
data centre or one hosted in the
public cloud. Having visibility only
into some data centres inherently
creates severe limitations to the
ability to uncover an active attack.
It is also helpful to see the traffic
within a data centre. In this regard,
network security and data centre
security go hand in hand and are
really the same when it comes to
detecting attackers.
Traditional security has failed miserably
in thwarting a data breach, and attackers
have held a decisive advantage.
Make no mistake, data centres
are under attack. Traditional security
has failed miserably in thwarting a
data breach, and attackers have
held a decisive advantage. It’s
time to turn the tables on these
attackers and regain control of our
data centres.
21