Sorting through the data glut: CISOs fine-tune their screens
June 21, 2016
Three years ago, it seemed like every booth at the annual RSA Conference was selling data on potential cybersecurity threats, says Matt McCormack, chief information security officer at EMC Corp’s security division.
Two years ago, he said, it seemed everyone was selling ways to filter all that data.
“You saw lots of companies go out (selling threat data). They were really flying high for a few years,” said McCormack. “You got to the point that it just became ubiquitous.”
Today there’s a glut of data on the latest threats to network security, and companies are left figuring out how to manage it all while making sure the actionable ones aren’t lost amid all the noise. Lee Weiner, chief product officer at Boston-based Rapid7, says his company estimates any given employee generates about 100,000 pieces of data per day.
“The question is, how can I really assess risk and protect the network? There are millions of different ways to get into a system. An attacker only needs one door,” said Weiner.
Interviews with several local organizations uncovered a variety of ways that CISOs are battling the barrage of information they encounter, from using cyber-attack attack models, to leveraging internal data, to assessing the characteristics of incoming communication.
Fighting ‘security amnesia’
Peter Tran, general manager and senior director at RSA, calls the problem “security amnesia.”
“There is such a volume of data that you can’t digest it all,” he said. “When security amnesia hits the organization because of sheer volume, you just want to get through it. You’re not learning from it.”
The ideal approach, he says, is to automate as much of the noise as possible so that people can focus on the unseen and unusual threats. Some threats are easy to detect and disable. For example, says Tran, two log-in attempts five minutes apart but from IP addresses thousands of miles away is an easy situation to block with an automated rule. Other red flags include users suddenly accessing different data than usual.
Larry Wilson, the CISO for the entire UMass system, says there’s no way to keep up with the 350,000 new variants of malware being created every day. “It’s game over. Forget it,” he said.
Instead, he focuses on models like the Cyber Kill Chain by Lockheed Martin, a seven-step framework used to identify and disable any type of cyber attack. Other such models are in the works, and Wilson says the more threat data that comes into a network, the better. All of it can be used to constantly validate or update the models.
New domains pose threats
One way to sort through the glut of data threats is by analyzing the length of time a domain has been active, said Mounil Patel, principal sales engineer for cloud-based email services firm, Mimecast.
“A lot of new attacks are coming from email domains that have only existed for a short amount of time,” he said. A new domain circumvents security methods based on blocking domains from which past threats have originated, but flagging newly-created domains helps block one common source of danger, he said. Another example has to do with how email attachments (like PDFs) behave when opened. A file gets a new fingerprint every time it’s saved, making it hard to scan for a known virus, but you can design an analytics program to see what happens when you open one up, Patel said.
McCormack, from RSA, says big data can be used to monitor employee behavior with so-called “predictive analytics.” That method of honing in on potential security threats by monitoring user behavior has been used for years by government organizations, but is new to commercial enterprises, he said.
One goal of all these approaches, he said, is to cut down the amount of threat data that needs to be processed by prioritizing which data correlates to a real threat.
“The best way to find a needle in a haystack is to add less hay,” he said.
Of course, there also is critical intelligence available through the Advanced Cyber Security Center’s Cyber Tuesdays gatherings, where members have a chance to learn from others and receive help sorting through the wheat from the chaff in terms of isolating the most pressing threats. For more information about Cyber Tuesdays, contact Christine Leblanc of the ACSC at firstname.lastname@example.org.