As the cybersecurity threat landscape becomes increasingly complex, attacks are growing in both volume and sophistication.
Criminals are continuously searching for the latest news and trends to weaponize their threats. This can be seen with the recent explosion of cryptocurrencies, attackers capitalized on this new-found revenue source by quickly inventing Monero-specific techniques focused on obtaining coins via stealing, mining and taking user data hostage for ransom.
So, to deal with constantly evolving threats, the approach and capabilities necessary for enterprise security must also adapt. A traditional preventative-centric approach is no longer reliable. Advanced malware can bypass preventative security measures in many ways, by using armoring features, embedding itself in normal traffic or disabling endpoint security software, to name a few.
For example, to exploit the fact that most security software programs look for malware inside files, cybercriminals invented fileless malware that leverages built-in Windows tools like Powershell and WMI to execute in-memory from the registry. Cybercriminals have become so advanced that they can even deploy attacks that infiltrate the host in pieces, then assemble and execute on the victim's device – all while the victim is unaware. Absolute, impenetrable protection is no longer possible or realistic.
When threats bypass preventative security measures, breaches can go undetected for far too long, wreaking unknown havoc on the enterprise. Only after a threat is identified can the incident response team focus on mitigation and remediation. Business experiences are often disrupted as a result and depending on the magnitude of the attack, enterprises risk losing sensitive data and negative financial and reputational impact.
Now, when an enterprise receives a security alert, the first thing a security engineer needs to do is confirm it is real and is not a false positive. They accomplish that by correlating data from multiple sources. Then, this engineer must identify who is infected – the infected host and user name – before executing steps to mitigate any damage. This process can take up to several hours per alert, and with companies receiving an average of 12,172 security alerts per week, this investigation is a time-consuming burden falling on already-strapped security teams. Current personnel and resource capabilities only allow security teams to examine an average of 518 alerts each week, creating a striking gap between the number of attacks being executed and the number being investigated and prevented.
Knowing that the enterprise will be breached makes detection and incident response critical to a strong security posture. Enterprises need a security approach that:
1. Addresses threats contextually through correlation and deep learning
2. Leverages sharable threat intelligence from security devices and applications across network infrastructure, environments, and vendors
3. Provides security personnel with actionable, prioritized insights that equip them to detect and respond to incidents
Behavioral analytics are a critical piece of this posture, helping to actively collect, correlate and analyze data from multiple sources in order to identify and prioritize threats.
An analytics-based security approach enhances visibility through continuous network monitoring and increases detection accuracy by learning new threat behavior. Such detection is most difficult for attackers to bypass because malicious behavior does not change if the payload is encrypted or obfuscated. Behavioral data can be collected from security devices across the network – including firewalls, authentication solutions, intrusion prevention systems, endpoint detection products and email security gateways – and correlated with third-party indicators of compromise.
When threat intelligence is actionable, filtered from false positives and correctly prioritized, security personnel can distinguish a targeted malware attack from a low priority adware incident. This approach provides security personnel with the clearest picture of normal activities to better identify potentially malicious threats hiding in the network haystack.
Partial automation through analytics and deep learning can help decrease time wasted pursuing erroneous false alerts by an average of 352.3 hours per week, which costs companies over $1 million every year. Behavioral analytics do not replace security professionals, but can assist them in rapidly responding to threats by delivering the most relevant information in a timely manner and minimizing the manual labor of threat identification and remediation.
Today, getting breached is no longer a question of if, but a matter of when. To combat this threat, behavioral analytics can bolster a security posture that balances prevention with detection and remediation.