Gone are the days when organisations analysed logs that focused more on prevention rather than quick detection and response. As time delays and data breaches increased, they realised the importance of securing their information. The future of leveraging logs looks more challenging.
Monitoring, handling and analysing security logs is a challenge for any organisation. Today, organisations not only face escalating risks but also the certitude that they will face an information security breach at any time, if proper precautions are not taken. Standout examples of information breach which gained public consciousness in 2017 are: Equifax breach and the WannaCry ransomware attack. On an average, 6,000 new computer security threats are announced each year. That’s as many as 19 threats every day as reported in chief security officer (CSO) online. The rate at which new threats appear makes it difficult to decide which ones require attention. Hence, companies have now started to rely more on technology to ensure that their landscape is secured, over and above the conventional security monitoring.
Security Information and Event Management (SIEMs) and other consoles generate an overwhelming amount of data at an operational level. Huge opportunity lies ahead for chief technology officers (CTOs) to use these abundant logs which have valuable insights that would assist them in utilising data driven recommendations for the entire security landscape. The long-term viability of a company can be severely damaged due to the loss of vital or sensitive data, intellectual property or strategic corporate communications, or threat actors who pass on this information to global competitors. Third-party breaches are becoming more common, and it is evident that any organisation’s security is only as good as its extended network. Without a clear understanding of threats by external stakeholders/partners, an organisation will not be able to completely secure the data of its employees and customers. Furthermore, lack of trust has started to have a real effect on businesses that will continue in 2018. A sharp focus on business structure, culture and risks will enable organizations to better safeguard their data essential for its survival and success. For many companies, this requires a fundamental transformation in how information security is understood within the business.
As organizations become familiar with probable threats and vulnerabilities, they will be able to establish both -- preventative measures and response activities, to decrease likelihood of attackers. Integration of analytics into various aspects of security operations can help map the threat landscape. The existing statistics-based approach can only detect anomalous behaviour, for instance, higher-than-normal traffic between a server and a desktop. This indicates a suspicious data dump. As machine learning (ML) algorithms mature with increasing historical information, predictive capabilities are uncovered, allowing management to make decisions that are based on historical precedent rather than intuition. Countermeasure employment at a granular level can be facilitated by applying metrics analysis to threat-modeling capabilities permitting them to sub-categorise a threat actors’ activities.
Cybersecurity suppliers are innovating to introduce artificial intelligence (AI)-based cybersecurity products to the market extensively. Deep learning algorithms will help businesses to detect malicious activity faster and stop attacks before they get initiated. One can employ machines to monitor the network continuously in real time and correlate that across a multitude of events on a daily basis.
The system here is a virtual analyst which uses AI to detect and report suspicious activity to human analysts who identify the real attacks and incorporate the feedback into its model for the next set of data.
Inducting customised analytics in security landscape unearths the reason behind threats and risks by correlating data from disparate sources. Customised interactive dashboards embedded with an analytics engine would process a high volume of unstructured data and also offer real-time insights on critical threats and incidents to address risk. Analytics improves transparency of network and control gaps. Machine learning (ML) approaches can assist in classification and pattern detection of traffic that’s been previously observed with a particular piece of malware. ML algorithms help clients detect malicious activity faster in near real time without any data breaches. Once detected, the immediate natural progression is to apply deep learning techniques to identify the anomalies in the incidents captured. This could enable CTOs and other stakeholders make informed decisions, data driven recommendations and work on actionable insights. Building security programs focused on intelligence of risks and business risks will bolster resilience in a constantly shifting technology landscape.
(Views expressed are personal)
By N. Balaji, Partner-Advisory Services with inputs from Shankar Anand & Durgaprasad N, Seniors, at EY India