The Catch-22 In Cyber Defense: More Isn't Always Better

The cyber security problem appears to be getting worse. But why?

By: Sam Harris, Teradata.

Call them what you will—bad actors, adversaries, cyber criminals or hackers—but more importantly, consider how their actions directly impact your cyber defense posture and the billions of dollars they cost businesses each year.

Today’s adversaries have evolved from hobbyists to professionals. They are well trained and well-funded, and run the gamut from social activists and state-sponsored operators to criminal syndicate members.

Just as they have become more sophisticated, so have their tools, techniques and procedures. Attacks used to be indiscriminant like viruses in the wild, spreading and replicating on unprotected systems. Now they’re targeted to specific firms with the objective of stealing, encrypting or destroying data.

As a result, we are witnessing possibly the largest transfer of intellectual property of all time. Sometimes the data is left in place, but held for ransom by encrypting the data and offering the encryption key in an act of extortion. For the adversaries, it’s simply business and your data is the product that’s for sale.

Security professionals used to be confident they could lock down and secure their networks to prevent incursions. Now, the mindset is that incursions are inevitable. And the burden is on them to figure out how to detect and remediate an attack before data is compromised.

Why existing approaches are letting us down

For many organizations, a Defense in Depth or Layered Defense strategy is standard operating procedure. This approach involves deploying a series of cyber defenses including tools for Firewalls, anti-virus and malware detection, intrusion detection and prevention, data loss prevention—and the list goes on.

The challenge is that adversaries have developed highly effective offensives to thwart what used to be highly effective cyber defenses. For example, they now have R&D facilities with commercial cyber security tools that allow them to test their capabilities for moving through cracks in defenses, and evading detection. And, yes, they can even move around the defense in depth strategy to breach data systems—much to the surprise of today’s most sophisticated cyber security professionals.

A common response to the increased sophistication of adversaries and the decreasing effectiveness of traditional defenses is to either add more security tools or increase the sensitivity of the security tools already in place—or both. Far too often, though, the result is a highly-instrumented network that generates high volumes of alerts that need to be processed by the security team. Additionally, increasing the sensitivity of existing tools also increases the level of false positive alerts, placing a greater demand on staff resources. A logical step might be to increase the headcount of the security team; however, today’s shortage of qualified security professionals makes this option unfeasible.

As the problem grows worse, businesses respond with greater force—which taxes existing staff resources, yielding less effective security results.

In effect, it’s a catch-22.

Breaking out of the catch-22

The good news for security professionals and executives who want to solve the cyber security conundrum is the use of data; specifically, big data analytics. They offer new data types and capabilities to detect advanced adversaries by using Network Behavior Analytics—analyzing the ground truth of network data.

Adversaries can hide in baseline network activity and cover their tracks by altering or deleting logs. However, they need to enter the network and move from one point to another. And when they move, traditional network defenses cause them to show themselves—at least in the data.

It’s the difference between observing a conversation first hand, and processing a second-hand recollection of the conversation—which can be far less accurate. In this context, the conversation is one machine in a server role communicating with another machine on your network in a client role.

Traditional defenses typically work with log data, or representations of what happened like a second-hand recollection. Conversely, big data solutions for cyber security work with the actual network data—like observing the conversation directly with perfect recall.

Yes, adversaries have become more sophisticated, but so have the tools and technologies that defend against them. Turn the table on cyber intruders and up the ante on your cyber defense posture. By leveraging big data analytics you can capture network data to help you protect your most important data assets with greater confidence.