An epic tale of an underwater battle, featuring nation-state submarines in unfamiliar waters, or one of finding an unknown threat of potentially nuclear proportions within familiar corporate boundaries?
If I could narrate half as well as the late Sean Connery, I’d be a very happy cybersecurity fanatic – but in the meantime, let’s dive into what these two seemingly disconnected stories have in common.
Picture the scene: you’re a captain of industry, and with your help, your organisation has created an impressive cybersecurity infrastructure with all the power needed to go on the adversarial offensive. You can capture, store, search and contain the enemy, with an incredible display of cyber prowess, producing more data than you could possibly need. Yet still you see nefarious activities that outsmart your tactical wizardry, rendering defensive lines, well, defenceless.
With all that beautiful technology, you’re still falling foul of incidents or audit and compliance failures. Then you realise it’s not just the enemy of old; some threats are originating from within your own infrastructure. Who’s doing this? What techniques are being used? Why don’t your existing tools and data sets tell you about them? Why do European submarines have barcodes? (#sorrynotsorry)
The old war we’ve been fighting has inevitably evolved into new frontiers. Without a doubt, our adversaries innovate at warp speed in both sophistication and automation, but for the most part, we have failed to see how this attacker evolution now affects the way we hunt down the adversary.
The analogy to The Hunt For Red October is not far removed from the common reality of cybersecurity. We’re applying sonar-esque technology to an infinitely more evolved problem. Using existing – often legacy – tools to sweep the environment for those ‘blips’ of interest (alerts, events, incidents, correlation rule matches, etc.) simply doesn’t scale – and the noise-to-signal ratio is worsening! Furthermore, when adding cloud platforms to the mix, things get much more challenging – you’re hunting for that nuclear sub in the corporate waters, except that it can now fly. So what must we do to counteract these challenges? What do modern insider threats look like, and how do we hunt them?
Wisdom is knowledge without pain, and experience should have taught us that we simply can’t continue to search for traces of what we think we know a threat looks like. We have to explore deeper, relatively uncharted waters to find what’s beyond the surface.
Unsurprisingly, ‘passive sonar’ detection (read: manual/legacy) has significant limits in the new age of cyber warfare, where employees are bringing their own submarine homes to the corporate frontlines (side note: Google “Wayne Eyre submarine home” – you’ll love it). In this stormy ocean of threat detection and mitigation, we need to merge new with old and provide the insights, context, coverage and capabilities to help us steer clear of breach disaster.
The hunt for the ‘red insider’ is not impossible. Weaponising your existing data sets by adding intelligence and practical automation to your current tools ensures you’re looking in the right places when it comes to the insider threat paradigm. No longer should you worry about what questions to ask of your data, as you’ll automatically be presented with the answers you need in order to take action efficiently and accurately. Those proverbial submarines, flying or otherwise, have nowhere to hide.
By transforming security operations through weaponised data, we remain one step ahead of the adversary and enable our business to retain its competitive and innovative advantage, regardless of the depths of the cybersecurity warfare battle.
Interested in learning more about insider threat best practices? Check out Exabeam’s insider threat hub!
by Richard Cassidy, Senior Director of Security Strategy, Exabeam.