The coming shift in security
 Vendors continue to trumpet new platforms as the best way to improve enterprise-level security. Flashy spinning visualizations, added scalability and the meaningless “next-gen SIEM” or “SIEM 2.0” monikers adorn vendor websites. Big data platforms and upgraded databases provide searchable storage to help security analysts find the root cause for security incidents, provided they know what these incidents are and where to find them.
Vendors continue to trumpet new platforms as the best way to improve enterprise-level security. Flashy spinning visualizations, added scalability and the meaningless “next-gen SIEM” or “SIEM 2.0” monikers adorn vendor websites. Big data platforms and upgraded databases provide searchable storage to help security analysts find the root cause for security incidents, provided they know what these incidents are and where to find them.
As of December 15, 2014, there have been more than 700 data breaches and more than 500 million records compromised in 2014, spread across the business and government sectors. One could argue that security has been starved for budget dollars for a long time, and that dollar deficit has finally caught up with the industry. Attackers have become more nimble and innovative, yet security team and technology budget growth is slight, and new solution purchases are outdated three to five years after they are deployed.
In addition, many IT services users are still unable to identify the oddly constructed URL or suspicious email sender address, making basic phishing scams immensely successful. Security awareness programs only get you so far. As PT Barnum so accurately put it, “There’s a sucker born every minute.”
According to Cisco’s “2014 Annual Security Report,” “The past year has seen organizations of all types struggling to understand how to embrace innovation without creating new security gaps or widening known ones.” The report goes on to project a 500,000- to 1 million-person global shortage in the number of IT security professionals that public and private sector organizations will need to cope with the security challenges of the foreseeable future.
Intelligence is hard to come by
After the JPMorgan Chase data breach occurred, there was a proclamation that the firm would double its cybersecurity budget and majorly increase the number of staff. While this may offer peace-of-mind for Chase customers, the downstream impact of a massive increase in staff has some interesting short-term repercussions.
The new hires added to the team will mostly come straight out of college with little real-world cybersecurity experience. They will be pushing most of what they find up to more experienced tier-two or -three folks, adding more work to an already overworked staff. A more focused approach would be to add only strategic new hires, accompanied by solutions that simplify complexities of threat investigation. This isn’t a problem that an organization should throw money at without a real strategy.
So how does an organization apply the right mix of dollars, staff and strategy to the problem of finding attackers who are accessing systems using stolen, valid credentials?
User behavior intelligence solutions that perform stateful user tracking and user session assembly offer the best chance for detecting the attacker in the phases of the attack chain after initial compromise, but pre-data breach. This phase of the attack is where the lack of attack visibility is the most problematic. User behavior intelligence solutions are focused on credential use, learning user credential behaviors and can surface attacker behaviors from an ocean of seemingly normal user activities.
These solutions learn normal user credential use behaviors and characteristics, and can learn the difference between a normal user and an attacker. The term “intelligence” in “user behavior intelligence” means the solution solves this visibility problem with little or no user interaction. Compared with an insights-based platform that requires a user to craft his or her own data queries and pivot across multiple data types (an action that can take hours or days), it is a simpler solution that yields value more quickly. Intelligence means providing more than just insight, and instead helps a user see an out-of-context sliver of the attack and then assembles the entire attack chain of events surrounding it on behalf of the user.
The skills shortage in the short run is already acute, and universities, community colleges and even high schools are trying to pick up the pace of providing a trained cybersecurity workforce. The average salary of the security analyst continues to increase as the need for experienced professionals increases. However, without a user behavior intelligence solution (not another platform) that addresses the problem by providing intelligence (not just insight), pushing money at the problem will not equal a real strategy and may cause a lot of short-term pain.
