Correlating Clues: Cybersecurity’s Big Data Challenge
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Steve Fulton of Secureworks follows the clues and connects the dots to XDR as the answer to the challenges presented by big data analytics.
It wasn’t so long ago that some vendors were promoting the idea that “endpoint was enough” when it comes to protecting your organization from cyber-attacks. The only thing you need is endpoint prevention and detection, and you can sleep well at night, they said. That notion is… naïve. I’m being very generous in using that term to describe something that is an incredible disservice to their customers. That’s not how cybersecurity works. Today’s attacks are often missed by endpoint solutions alone. Yes, you absolutely do need endpoint prevention & detection; it is necessary, but not sufficient. There are many, many examples where EDR solutions miss the threat. Phishing, for example, can get a user to give up a valid credential so that the attacker can then use that credential to surreptitiously move around your environment, posing as a legitimate user. And if they can do that undetected, they can compromise a critical system and deploy ransomware and/or exfiltrate data.
Cybersecurity is not about detecting a single instance of a single file on a single endpoint. It’s about having the widest possible aperture. It’s about constantly correlating multiple events and behaviors across your entire environment (e.g., network, endpoint, cloud, etc.) to see if some combination of those events and behaviors indicates a threat.
Cybersecurity’s response to stealth attacks, in other words, is big data analytics.
The Big Data Connection
It sounds simple. And many vendors claim to do it. But to adapt big data analytics specifically for cybersecurity, solutions need to do several things right.
Here are three major ones that need to be fully owned:
All The Data
Big data success depends on the “bigness” of your data. That doesn’t just mean having a lot of data. It also means having the right breadth of data.
In the case of cybersecurity, that breadth of data should go well beyond traditional endpoint telemetry. As noted above, many attacks don’t even leave any “breadcrumbs” on your endpoints. So, data is needed from your network, your cloud implementations, your business systems, your operational systems, and any other sources that an attacker might touch — even if that data source is not the target of the attack. Said differently, you need a diversity of data in addition to “big data.”
This is why the market is moving beyond siloed EDR (endpoint detection and response) to a more inclusive cybersecurity platform known as XDR (extended detection and response). To keep your organization safe, your detection and response solution must be able to incorporate and correlate relevant data from multiple sources — endpoint, third party, legacy, or custom-created — in order to be effective.
Detailed Threat Intelligence
You can only be confident that some combination of the events and behaviors in your environment matches some known set of attack indicators if your security staff or vendor has a complete, accurate, and up-to-date understanding of what those attack indicators are. This is one aspect of what we call “threat intelligence.”
After all, collecting telemetry from all over your environment isn’t just for discovering general patterns and trends. If you’re serious about cybersecurity, then gathering all that data is for uncovering clues that could indicate an active attack. And to do that, you need knowledge of what an attack looks like.
More precisely, knowledge of how specific types of attackers are currently operating in sufficiently granular detail. Those attackers might be state-sponsored groups whose tactics, techniques, and procedures (TTPs) might be somewhat consistent. Or they may be attackers who are selling their services on the open market — and therefore have a consistent set of TTPs.
Regardless of who the attacker is and how they mount their attacks, robust threat intelligence is crucial for correlating the large volumes of telemetry from your environment to pattern-match indicators of an active threat.
Speed at Scale
Security teams, whether your own or from a managed detection and response partner, don’t have an unlimited amount of time to perform your threat detection and response. In fact, time is a critical function in cybersecurity — because every hour that a threat actor remains undetected in your environment exposes you to significantly higher risk, allowing them to get one step closer to a critical system that will bring your business to a standstill or threaten a potentially catastrophic exposure of sensitive customer data. The median dwell time for a ransomware attack is 4.5 days — and that’s not a lot of time to detect and respond to an imminent threat. So, speed, in addition to scale, is critically important.
That’s another reason why you need an XDR platform that’s properly architected for XDR workload performance. You can’t just bolt on other technology to an EDR platform and expect it to scale. Nor can you build effective XDR on a generic big data platform. Your underlying engine should be purpose-built for threat detection across a variety of telemetry sources while empowering fast response actions.
Of course, there’s a lot more to do to defend yourself against stealth attacks than just deploying a scalable XDR platform with great threat intelligence behind it. You can leverage the human intelligence of an experienced, well-trained SecOps team, whether that is your own or through a provider. You can better automate your responses (the R in XDR) to quickly remediate threats. And of course, there are the basics like implementing multi-factor authentication (MFA) as part of a Zero Trust strategy and educating your users, so they don’t fall victim to phishing and other types of common attacks.
But as attackers get stealthier, an XDR platform with robust big data clue-correlating capabilities has become a must-have. It is becoming the foundation for a forward-looking, future-proofed cyber defense strategy, whether an organization leverages their own SecOps team or uses XDR as their foundation for a managed detection and response solution with a trusted security partner.