A few years ago, if I asked who was responsible for your corporate security, you might have pointed to the "security" team: a group within IT who had their own set of tools and who focused primarily on protecting the perimeter. This standard was the status quo for most companies, before an increasing wave of attacks started catching countless businesses in every sector off guard.
Today, if I ask the same question, I hope that you would say that security is everyone's job.
The Truth Is On the Network
A series of high-profile breaches and the rise of ransomware have been a wake-up call for the majority of enterprises. It's no longer a matter of if you'll be attacked, it's when. We're now dealing with highly-sophisticated hackers who have access to attack tools that were built by nation states and released into the wild. These tools—unquestionably cyber weapons—have since been incorporated into run-of-the-mill malware.
Attackers have proven repeatedly that they can poke holes in any perimeter and compromise any endpoint. Firewalls, antivirus software, and malware scanners are no longer sufficient to ward off intrusions. Logs can be altered, auditing can be disabled, but the truth is always on your network. If something has infiltrated your environment, and you have total visibility into your network traffic, you can find the intrusion and deal with it.
Look Beyond the Perimeter
Today, we know that internal traffic should be monitored as closely as the perimeter. Teams must look for lateral movement, which indicates an attacker has moved from one internal host to another. Reconnaissance, scanning, and data exfiltration are all activities that can indicate a potential breach. Quick action is necessary to stop a threat before damage is widespread and irreversible.
Traditional security solutions such as Intrusion Detection and Prevention are primarily signature-based and haven't evolved much in the past decade. Other security-focused network-monitoring tools are open source and based on homegrown analytics, which can be high-maintenance and often can't scale to enterprise-class. Considering the limitations of these solutions, the best approach for protecting your organization is best-of-breed pervasive, real-time network monitoring.
AI Is Here to Serve
With the sheer amount of data generated each day, no team could ever sift through every network transaction—even with carefully configured alerts, you run the risk of missing something important.
While alerting has evolved dramatically over the past twenty years, setting and monitoring threshold values resulted in voluminous false positives. It was difficult to sift through so many alerts to find actual problems. Even with the development of dynamic thresholds, baselines, and moving averages, analysis still requires a lot of manual work and produces far too many alerts than SecOps teams have time or resources to investigate. This is why machine learning is increasingly critical. It reduces the burden of data overload by helping teams disregard expected fluctuations and pinpoint genuine anomalies. Machine learning can detect patterns and behaviors and call out anomalous behavior—all without requiring a data science team.
New Technology Shouldn't Mean More Work
The volume of data generated today is torrential compared to even 10 years ago. Nobody wants to buy a product or solution that's going to create more work. Automation and integration with your existing tools is critical.
On the current market, we're seeing a welcome convergence between specialized security tools and network operations tools. A number of products now combine network security and breach detection. For the most part, these products perform simple network analysis at Layer 4. They look for unusual behaviors with some amount of machine learning, typically unsupervised, and then bring those anomalies to your attention. However, these products don't offer a lot of context beyond identifying a breach.
Any solution that forces your SIEM to figure out whether a real breach is legitimate is not a product, it's a feature. You need a broad platform to understand context and conduct investigations. ExtraHop has been investing in data science and machine learning for over three years now. As the innovator in wire data analytics and next-gen network monitoring, we are uniquely capable of providing the broad visibility, analysis, and forensics required to address today's threat landscape.
Read on: ExtraHop's Jesse Rothstein and senior software engineer Edward Wu break down the ways machine learning works best when paired with human judgement on AFCEA's The Cyber Edge .
Launch the ExtraHop demo to learn more about what machine learning can do for you.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/next-level-threats-require-next-level-defense/