Cybereason Blog | Cybersecurity News and Analysis

Data Breaches: Blame Lack of Context

Written by Lital Asher-Dotan | Nov 3, 2014 7:06:49 PM

"Security teams are struggling in today's security environment. Blinded by the excessive alerts produced by the numerous security solutions they use, they lack context to do their daily job", Lior Div, Featured in Forbes:  

Cyber security teams are now, more than ever, under great pressure due to an increased likelihood that their organization will be breached. It is not surprising that 57% of security experts expect their organizations to be compromised within the next year. As the news about cyber-attacks becomes the sad “who’s next?” water cooler discussion, it has become a well known reality that even the most extensively protected organizations will be victims of complex hacking operations.

Even though Enterprises spend millions of dollars on cybersecurity protection and detection solutions, the average breach goes undetected for 229 days. Moreover, once an incident is discovered, it usually takes another month for security to investigate the overall damage and magnitude of the cyber-attack. This significantly prolongs response time and has led to a devastating 3.5 million avg. breach cost for businesses in 2014.

The main reason why security fails to successfully battle complex hacking operations is not due to a lack of competency or negligence, as some may think. In reality, it is because security teams desperately lack context. The truth is, security teams are blinded by thousands of security alerts on a daily basis from their various security tools. Even the most sophisticated security teams are unable to comprehend an attack because most security solutions lack the capabilities to produce cohesive alerts.

When the Human Factor Fails

Because security tools produce a large amount of unwarranted alerts, security teams must manually investigate them: meticulously weed out false alerts and connect isolated malicious activities in order to reveal an attack. In an ideal world, where there is an abundance of highly skilled security experts, the need for manual investigation would be less detrimental. However, this security paradigm significantly weakens your defence for several reasons:

Isolated Alerting = Limited Remediation

Because traditional security systems alert on individual events, security teams will also remediate isolated issues, without taking historical evidence into consideration. For instance, IT will be alerted about a virus on a single endpoint and they will then clean that endpoint. However, they cannot tell if an employee accidentally brought the virus in from working at home or someone downloaded the virus from an email. Traditional tools cannot reveal if the alert was a localized event or a part of a far more dangerous hacking operation. The inability to see individual events as part of something larger, will make it very difficult for security teams to detect and remediate a cyber attack, giving hackers a serious time advantage.

Alert Blindness

Commonly, security solutions rely on indicators of compromise as triggers of an alert. These IOCs are based off of very rigid predefined rules. For example, an alert will be produced when there are multiple failed login attempts, but because security solutions do not have the capability to automatically judge alerts by examining other evidence, a large amount of alerts are produced, many of them are false. 56% of organizations reveal their concern and say that their security tools produce too many false positives. This challenge leaves security feeling rightfully uneasy, always unsure if they have fixed the problem, or if they have missed something along the way.

Out of Context, Out of Touch

Recent research reveals that 69% of organizations say that their security tools do not provide enough context for them to understand their risk. Because many security tools do not focus on the entire IT environment and only on individual events, cyber attacks can go undetected for long periods of time. The key is to see a hacker’s every move and this can only be achieved by having a vast visibility scope and a tool that automatically connects isolated events in order to provide a more accurate picture for security to digest. Tools that can bring in context will allow you to tell if multiple security alerts came from the same source, what circumstances led to the alert and relate end-user activity to malicious actions.

Automated Context: Relieving the Burden of Investigation

The advancement in big data analytics and machine learning capabilities has the power to change the current security paradigm. When applied to security, big data analytics will eliminate the need for manual investigation and provide a more holistic approach in the battle against sophisticated cyber attacks. This type of technology can gain context by monitoring and recording all events and actions taking place within an organization. After which, such tools can deploy artificial intelligence in order to judge individual incidents, the way a human brain can. It has the capabilities to compare isolated events to historical events, external sources of knowledge and other related communications taking place within an environment. This aid would empower security’s decision making, close the gap between detection and response and notably improve security’s posture, enabling them to successfully combat complex hacking operations.