By Haim Zlatokrilov, VP of Products at empow
As the world goes through the worst health crisis in a century, and the first one occurring in the digital age, we are learning on the go. One of the only ways we can learn is to analyze how different countries with different approaches have dealt with the virus, and what the results are. Interestingly, there are lessons that we can take from this experience that can help us in the arena of cybersecurity.
The approaches that have clearly yielded the best results during this crisis include widespread testing and taking drastic steps early – like stopping flights and implementing strict ‘shelter at home’ orders. An aspect of this approach that has worked well for the countries with the lowest illness and death rates during Coronavirus is focusing on people rather than events.
For example in Israel, during the early days of the virus spread, each person who tested positive was tracked, with newspapers detailing where he or she had gone before being diagnosed, and people who were in the vicinity going into mandatory quarantine (later this was automated so that people got alerts on their cell phones if they had been in the vicinity of someone who tested positive for COVID-19). Strict early measures enabled the country to keep tabs on everyone with the virus for a relatively long time. Similar measures were effective in countries like Singapore and Taiwan.
In the U.S., the U.K. and a number of other countries hit hard by the virus, the approach was different. By the time measures were taken it was no longer possible to attribute the spread to individuals, but rather there were tragic “events” underway – like the spread in a nursing home in Washington State and the catastrophic situation in New York City.
Though there were other factors involved in how fast the virus was spreading, the results of the different approaches are clear – as of April 26, there were 199 deaths in Israel from COVID-19. In New Jersey, with comparable size and population, there were 5,863 deaths.
In cybersecurity, we face viruses and attacks of a completely different sort, but we can learn from the entity-focused approach. The security at most medium and large organizations is managed by Security Information and Event Management (SIEM) tools, which provide an overview of the different security tools, orchestrate them and coordinate response, at least in theory. In practice, SIEMs inundate security operations teams with mountains of false alerts and a workload that is unreasonable to the point of being ineffective.
One of the pitfalls in the approach of most SIEMs is the focus on events. For example, a security analyst may get an alert from an anti-virus tool saying a computer has been infected. The information he or she receives may include different entities, such as users, hosts, email addresses, etc. (some could be perpetrators, some victims), or they could get only IP information. Then the work for the analyst really begins: understanding which user entities are connected to the attacked entity, triaging the information, trying to sort out which other events took place in relation to the entity, and building an overall picture of the attack. By the time the analyst has researched all the information, it well may be too late to effectively stop the attack.
A different, more effective SIEM approach would redefine SIEM as a Security Information and Entity Management tool. In this scenario, when the SIEM sends an alert to the analyst, it is an entity-based alert, already showing the analyst ALL the actions taken to and on the particular entity at risk. Such a SIEM platform uses automation to conduct much of the research and triage usually left up to the analyst. The high-quality information that is brought to the analyst, in entity form, is already clear as to who the victim is and what actions have been taken against him or her over time. This allows the analyst to make quick triage decisions and take action to mitigate the attack.
Like the Coronavirus victim in our analogy, the cyberattack victim is then isolated so that it is much easier to see who else in the organization was in contact with the entity, preventing them from unwittingly infect others in the organization. This would all be done at an early stage, making the entire approach timely and effective.
Latest posts by Ben Canner (see all)
- Top Five SIEM Books for Cybersecurity Professionals - September 17, 2020
- The Staples Data Breach: Why “Low Impact” Breaches Still Cause Serious Damage - September 15, 2020
- Recent SIEM Statisitics for Cybersecurity Professionals: Q3 2020 - September 11, 2020