IT Security: Detection Doesn’t Equal Protection
By Bob Noel
For too long, the sole emphasis of security vendors in the cybersecurity industry has been on detection. Once the attack has been reported to the end user, it seems the job is done. The next steps—the complex task of investigating and actually solving the problem—then lie with the security operations center (SOC).
Since the introduction and subsequent buzz around artificial intelligence (AI) and machine learning (ML), this “detection drum” has been beaten louder and more vigorously by marketing departments than ever before. But in today’s complex cybersecurity climate, detection-focused technologies and AI are not the panaceas that many vendors profess them to be. As an industry, we need to revise our approach and fast.
To do so, it’s important to understand the foundation of the industry’s current perspective. In large part, the focus on detection has intensified through the preoccupation with AI and its perceived essentiality to modern security. What is missing from the discussion, however, is what AI actually does and does not do. Detecting an attack vector and sounding the alarm is only the first step. What happens after that is what will count the most.
The View Into a Cyberattack
What is required is context for efficient analysis. Without it, the two-legged stool that is the current model of detection and prevention will continue to fall over. For it to stand up and create a system of sustainable threat detection and response, an all-important third leg needs to be added: contextual data for forensic investigation.
It is important to point out that these factors are paramount in creating a responsive cybersecurity system. Those cybersecurity vendors that engage purely in detection create a wealth of data for customers, and they are right to highlight its importance. But for an effective security investigation to take place, historical data also must provide rich context. Although security information and event management (SIEM) excels at aggregating alarms and alerts, this solution lacks that context.
In most cases, the SIEM simply provides a timestamp, an IP address and a reason that the event has been flagged. A security analyst is then expected to take this meager information and manually figure out the problem through disparate platforms and tools, a time-consuming and inefficient process that can prove damaging to productivity, continuity and the wider safety of the organization.
The historical data and context needed for investigation must be provided by something other than the SIEM. Platforms that perform network traffic analysis through the collection of metadata collected from the existing network infrastructure are needed. Effective investigation requires the ability to answer questions such as: When did that conversation take place? What application and protocol were used for this conversation? What DNS information is associated with that traffic? What SSL details were associated with it? In the same way that a police detective is more likely to solve a case by building a story of what happened with input from various witnesses, a SOC analyst can make a more swift and accurate decision with more information at their disposal.
Detecting, Not Protecting
As well as their shortfalls, pure detection security vendors also have their pitfalls. Although they claim to harness the powers of AI and ML to help combat the cybersecurity skills gap by detecting incidents better than the security team, the opposite is often true. Most AI and ML vendor solutions apply algorithms broadly across all network communications, rather than focusing on specific use cases. When this is the approach, what actually happens is that false-positive alerts are generated on all kinds of anomalous, but harmless behaviors. Without informing analysts of the root cause or source of a given behavior, they have to dedicate time to investigating its severity, which wastes valuable time, money and resources. By decreasing productivity and return of staff investment, the skills gap is exacerbated rather than reduced.
Nobody is denying the importance of detection to security. Without it, organizations and users would not know there was an incident taking place within their network that needed resolving. But tantamount to knowing that something is happening, is understanding what is happening. Without this knowledge, security teams can’t operate with the necessary efficiency, which is required in this climate of escalating cyberattacks. Rather than relying on hyped AI and ML products that generate high volumes of anomalous yet harmless alerts or unilaterally relying on SIEM, which consolidates logs but doesn’t consolidate context, these alerts need to be augmented with contextual data to reveal a complete picture of a cyberattack.
Unifying security applications and combining them with contextual metadata allows IT teams to have a clear view of all parts of the network to detect network compromise, malware movement, and any command and control communication. This provides the fastest way for SOC analysts to determine not only the severity of a cyberattack underway but also the best way to stop and mitigate the attack. In the case of a cyberattack, time is money and reputation, and the only way to limit the damages is to implement a security system that offers defense-in-depth at every level from start to finish.