According to Mandiant Security Effectiveness Report – 2020, the following are some of the challenges in measuring security efficacy:
- Only 4% of reconnaissance activity generated an alert.
- Security controls did not prevent or detect detonation within their environment 68% of the time.
- 65% of the time, security environments were not able to prevent or detect the approaches being tested.
- 97%of the behaviors executed did not have a corresponding alert generated in the SIEM.
- 54%of the techniques and tactics used to execute testing of lateral movement are missed.
These challenges assets the fact that existing monitoring capabilities are no match for the changing threat landscape. Traditional technologies lack the sophisticated capabilities and visibility required to detect and protect against such advanced attacks.
Traditional security tools aren’t enough
So, what’s wrong? Organizations are dependent on tools such as anti-viruses, anti-malware, firewall, IPS, URL filters, application security gateways, DLP solutions, and SIEM solutions to detect and prevent security attacks.
Vulnerability assessments and application security scanners used by them have failed to mitigate the sophisticated attacks like Advanced Persistent Threats (APT) running in stealth mode. Endpoint security tools cannot detect these threats. To mitigate them, you need User and Entity Behaviour (UEBA) analysis to check for anomalies to identify unusual behavior patterns. However, to drive this analysis, you need to baseline normal user behavior, which requires a huge volume of data and considerable manpower.
The challenge with endpoint tools is that it churns out a massive amount of monitoring data/logs. This data is then correlated in SIEM to offer standalone threat information. Instead, threat indicators must be integrated and correlated with asset criticality and process-related weakness to recognize the risks and allocate resources for priority-based mitigation.
Though SIEM can enable correlation and compliance, it cannot effectively collect logs from disparate systems, has limited ability to detect threats & drive forensics, and is incapable of managing queries received for performing analysis.
The security challenges are on the rise. Traditional technologies are failing to detect advanced and persistent attacks. Monitoring millions of transactions of structured data and identifying an attack or fraud pattern is difficult manually and need substantial manpower and advanced skills.
SIEM has limits in querying the retained data for analytics and is also unable to handle millions of transactions per second and cannot provide a business context. Further, not all attacks leave logs. Adding to these challenges is the assessment of risks by judgment and managerial opinion without the visibility of critical assets.
These problems are not easy to solve. Here are a few ways to increase the chances of detection by the integration of data from endpoint tools and also to use network visibility to identify anomalies.
- Work with existing SIEM and create a data warehouse to store SIEM and endpoint tools such as Database Activity Monitoring (DAM). Buy an analytics engine to analyze a large amount of data using rules. You can use a cloud-based analytics engine or get professional analytics tools and integrate reporting and alerting in the GRC tool.
- Implement SIEM with Big Data and analytics from professional vendors.
- Manually configure threat indicators to identify advanced threats by reverse engineering and using endpoint tools such as firewall alerts, IPS rules, proxy servers, web application firewalls, and other security tools.
- You can also use real-time big data security analytics tools to accelerate incident detection to improve staff efficiencies, reduce false positives, automate manual processes, and supersede endpoint tools.
- Leverage a GRC tool to assemble and provide intuitive alerts, and the predictability engine predicts the probability of attack.
- Perform an inventory of all critical assets in the GRC tool and assign workflow for notification, escalation, remediation, and closure of risks.
- Import vulnerabilities to those assets and their criticality.
- Map audit and process-related weakness to the affected assets.
- Map threat feeds for applicability to the assets and its severity
- Import threat intelligence from analytics and apply analytics to the collated data (from endpoint tools, map vulnerability assessment results & map audit findings for process weakness) to predict the probability of risk materialization. Computing risk this way is more logical and can easily be integrated into a GRC tool.
By having integrated capabilities of threat intelligence, experienced experts, and security analytics, you can proactively investigate, detect, and respond to threats. These capabilities are better alternatives to deal with today's threats and can help you achieve more concrete security outcomes through better security visibility and detailed incident notifications..
If you are keen to know more about advanced security capabilities, and how to adapt them to your business, please do get in touch with us at firstname.lastname@example.org.