In urgent situations, such as where a breach will be costly, or someone’s well-being is at risk, historical data and batch processing simply won’t cut it.
It’s no secret that cyberattacks are on the rise, and that while many companies are investing heavily in solutions that aim to protect their people and assets, there’s much more to be done.
Stephanie Balaouras, a vice president and research director at Forrester, says that organizations need to invest not just in any security solutions, but, more specifically, in ones that allow them to automate detection and response to the threat itself. Balaouras was speaking at Forrester’s recent Counteract Cyberattacks and Fraud with Streaming Analytics webinar (free registration).
“We can layer as many preventative solutions as possible in our environment,” she said, “but ultimately we’re not going to be able to stop every single attack. It’s become imperative that we’re able to detect infiltrations as quickly as possible, and respond to them immediately.”
Surprising sources of cyberattacks
According to a recent Forrester study, a large number of organizations across different industries self-reported that they were victims of cyberattacks. It might have taken them an average of 245 days to realize there was an intrusion at all, but 41 percent of respondents reported that their attacks came from internal sources, whether that was a malicious party, or just someone wanting to work from home and emailing confidential information to a personal account.
Attackers are focusing on personally identifiable information, intellectual property, authentication credentials, and credit card data, all of which can be monetized on the black market. Balaouras is quick to point out that credit cards aren’t as profitable for hackers as personal information, such as a leaked medical record—the more personal the information, the easier it is for malicious parties to commit fraud-based crimes around it.
Infiltrations are happening on a number of fronts, but software vulnerabilities (42 percent), stolen credentials (37 percent), and phishing (37 percent) lead the pack. But the goal in cybersecurity shouldn’t be just targeting the most popular vulnerabilities and layering on more security packages, Balaouras said. Instead, organizations need to deploy detection and automated response capabilities, and quickly, if they want to maintain any semblance of security in the years to come.
“The goal is not just detection, but the ability to limit the impact of the breach before it turns into something enormous,” Balaouras says.
Changing the cybersecurity conversation
A number of elements make security automation difficult for businesses. Those in security operations centers (SOCs) find themselves overwhelmed by the sheer number of alerts, and it’s not easy to simply hire more security workers—these people are few and far between, and are highly sought after for their skills.
Instead, organizations should think about empowering their SOC with more data and automated workflows to help them make smarter decisions and move faster. But Balaouras says that in urgent situations, such as where a breach will be costly, or someone’s well-being is at risk, historical data and batch processing simply won’t cut it.
“There will always be more preventative solutions, we’re always going to be able to layer more preventative solutions, but ultimately we need to improve our detection capabilities and our ability to make an automated response,” Balaouras said.
By layering real-time streaming analytics into the SOC, these algorithms can aggregate threat intelligence from a number of disparate sources, track malicious insiders, prioritize alerts, detect the signs of infiltration, and much more. And when it comes to streaming analytics, “real-time” refers to seconds or even milliseconds—anything slower isn’t powerful enough for this next generation of security hardening.
Getting faster with cybersecurity analytics
Steve Wilkes, co-founder and CTO of Striim,, who joined Balaouras on the webinar, says that companies need to think about making their security data analytics faster so that they can be proactive rather than reactive. In the past, a company might collect log files from a number of discrete security solutions and store them in a Hadoop cluster for later processing. Now, being able to transform, filter, and aggregate those logs in real-time unlocks new proactive (and automated) security workflows.
Wilkes offers one potential use case . It’s a common practice to lock out specific IP addresses after a number of failed logins to a particular server or service to prevent a brute-force attack on a user’s credentials. But if an attacker tries to log into a number of servers simultaneously, to get around that brute-force prevention tactic, the SOC might never correlate all of the failed logins as coming from a single, determined source. Instead, streaming analytics can take the logs from each of the servers and their security systems and automatically correlate the intrusion attempts as coming from a single external IP. It can then automatically put that IP on a blacklist, or warn the SOC before the attacker actually gains access.
By analyzing a high throughput of data from any number of disparate sources, and pulling them together in highly customizable ways, organizations can detect intrusions faster and shut them down with impunity. Balaouras and Wilkes agreed that by aiming higher than simply bringing down that “245 days to detecting a breach” figure, organizations can set themselves up to meet—and defeat—the cyberattacks that are inevitably on their way.