RTInsights editors Joe McKendrick, Lisa Damast, and Salvatore Salamone discuss why continuous intelligence is needed to address today's evolving cyberattacks.
In this RTInsights Real-Time Talk podcast, RTInsights editors Joe McKendrick, Lisa Damast, and Salvatore
Salamone discuss how cyber threats continue to evolve at a time when systems are increasingly complex and interdependent. The challenge is that the bevy of point security solutions used in most organizations produces too much data, making it hard to spot anomalous activity and identify the greatest threats. Increasingly, companies are turning to continuous intelligence to help assimilate such data, draw insights, prioritize alerts and alarms, and make recommendations to aid human operators in managing security.
About the Continuous Intelligence Insights Center:
From real-time fraud prevention to enhanced customer experience to dynamic energy load balancing, businesses of all types and sizes are realizing the benefits of Continuous Intelligence, helping them make decisions in real-time while events are happening.
Where do you begin, though?
What are the key requirements?
Read the podcast transcript:
Lisa Damast: Hello and welcome to the latest episode of Understanding Continuous Intelligence, an RTInsights Realtime Talk Podcast in partnership with Sumo Logic.
I’m Lisa Damast, Senior Editor and Head of Marketing at RTInsights and your host for today’s discussion. Joining me today, our RTInsights editor-in-chief, Salvatore Salamone, and RTInsights industry and insights editor, Joe McKendrick.
In this episode, we’ll break down why continuous intelligence is needed to address today’s evolving cybersecurity threats.
Joe, kick us off. What are some of the major cybersecurity issues enterprises face today?
Joe McKendrick: Okay, thanks. And there are a lot of layers to this. There’s so much we could discuss, and let’s drill down into what the impact on organizations is and what we can do. For example, look at the cost of data breaches. It’s now reached over $4 million per breach per company. That’s a report that came out of IBM just a few months back. And they reported a 10% increase compared to 2019.
And what is the reason for that? Because of the COVID 19 situation where you had a lot of people dispersed working remotely, from their homes or remote locations, the enterprise is very highly distributed now. And add to that, the cloud, the movement toward cloud, the movement to digital transformation, and you have a huge, hugely expanding attack surface.
And enterprises need to worry about in terms of where these problems can come from. And the cost, I mentioned $4 million per data breach. There are also statistics that show what happens when there’s downtime, when ransomware hits, for example. Some companies have been down for more than 24 hours because of a ransomware incident.
And our friends at Gartner put the cost at about $140,000 to $540,000 per hour for downtime. So, this is very costly to organizations, and this is something that needs to be front and center of parities right now.
Salvatore Salamone: Another thing to keep in mind is that even though it’s challenging to protect your own enterprise, a lot of threats are because of the interdependency of modern business.
Last year we saw examples where supply chains were attacked. A weak link in a chain was compromised, and that ended up infecting or offering a vector into other players in that supply chain network. And then, even worse, there were several instances where the companies that offer things to help on the IT management side, so like SolarWinds and others, were compromised.
And their offerings that were used by multiple companies to manage networks and manage service providers were used to propagate malware and ransomware. So, it’s this interdependency. It’s not just the traditional protect your own assets. Now you’ve got to be concerned about threats coming in because you’re partnered with the mother entity.
Joe: And Sal, just to build on that a bit, this extends the responsibility and the concern for cybersecurity well beyond the IT department. And I just want to add to that as well, not only do we have a larger tax service because of this interdependency you talk about, but also there’s been a convergence between IT and operational technology, IT and OT.
And as a result, there are all these vulnerabilities that could take place within the operations side of a business, within their internal systems, and their production environments. And then I just saw a survey not too long ago that talked about that, and half of the companies surveyed were not even aware of what kind of a compromise or what kind of issues could be occurring within their converged IT-OT environment. And this is where ransomware really can also make a huge dent.
Lisa: Can you elaborate on why it is harder to manage security?
Sal: There’s a number of things. Complexity is one, and there are many individual tools that are used for different parts of your network your operations. There are all these point solutions, endpoint monitoring, intrusion prevention and detection systems, firewalls, and more that all produce lots of data that could potentially help you understand threats as they’re emerging. But there’s just too much information. It’s hard to make sense of it. Then there’s the complication with things like moving to cloud and using hybrid environments.
Another thing we saw last year was using composable applications. It turned out one of the major
security issues last year was how a very commonly used open-source component and library Log4j had a vulnerability, and the thing was reused so many times and incorporated to so many applications. It’s just hard to figure out where it resided and whether it was being used within an organization.
So, it’s just an overwhelming amount of different tools to try to help. You are making it more complicated. The way you’re developing applications is making it more complex to understand the relationship between the different elements.
Joe: I agree, that’s a huge issue, the complexities of today’s environments. You have hybrid, you have
cloud, you have on-premises systems. Data itself, organizations today rely on data. Every organization needs to become a data-driven organization. But look where the data is going in organizations. It’s being duplicated not only within the IT department but it’s being used for development.
Data’s sent out to the development side of the house. It’s being sent out to backup sites. It’s being sent out to partner sites. Your company may have these great protocols in place to manage security and to ensure that nothing gets compromised, but then you send out this data to these partners who don’t have those same protocols in place.
You need to do your due diligence and make sure they are. There are cases where stuff is on a thumbdrive and being left in the back of a taxicab, for example. There are incidents like that. I see the threat coming internally, as you have the problem with the hackers.
You may have hackers from Belarus, not to pick on people in Belarus, but you have these hackers on the other side of the world who are, of course, sending out the ransomware and the malicious code. But you can build a nice hard shell around your organization, but it could be soft inside. You may have people with privileged access, for example, or data leakage as your data is sent out for various functions, again, development or backup sites or whatever. And you need that encryption.
I did a survey a few years ago. Only about a third of companies actually encrypt data that’s moved across different parts of their enterprise. The threat is just as much of an insider threat as it is coming from the outside.
Lisa: Really great points about insider threats and threats coming from the outside. What’s needed to
address this and help?
Joe: Well, again, I’ve done surveys in recent years on data security. And one of the questions you always ask is the detection process, when do you detect what’s going on with a data breach? What’s going on with the organization? And in most cases, enterprises are doing audits.
They’ll audit the logs, or they’ll audit access points and things of that sort after the fact. So, there may be something going on within their enterprise, data leaking, data being breached for months. And maybe they’ll catch it in an audit.
We found that typically companies conduct audits maybe once a month, maybe quarterly to see what’s going on, and that’s not enough. You need more of a real-time view of what’s happening, where your information is going, your personally identifiable information, and as well as sensitive corporate information.
You need to have a more transparent, up-to-the-minute view on what’s happening, so you can see what’s going on, not find out three months later in an audit. You need monitoring tools. You need more observability. With such technology, artificial intelligence and machine learning can really play a key role in being able to watch for discrepancies or changes or anomalies that are occurring within the access points or within the data that’s flowing across your organization.
Sal: Yes. And that’s the point. And I think what you’re seeing in some organizations, there’s a general move, the need for this real-time analysis and information about what’s happening and how it impacts their security is critical.
You’re seeing the adoption of these types of approaches. There’s one that’s called SOAR, for example, Security, Orchestrate, Automate, and Response. So rather than just observe, you also have the ability to somehow collect all of this real-time information that’s coming in from the census, alerts and alarms, data logs, et cetera. Analyze it, try to make sense of it, try to sort the important and prioritize things and be more proactive. You want to take some action in real-time based on the insights you gather. This is where Continuous Intelligence comes in.
Lisa: How does CI help?
Joe: Continuous Intelligence is key because, again, we need that real-time analysis of what is happening in your organization. We can’t be sitting back looking at audit data, log data, whatever, looking at what happened three weeks ago and discovering there was a data breach.
Even with ransomware, there can be a lag time between the time a ransomware attack hits the organization and the time it’s uncovered and it’s acted on, or rather that they’re alerted to it by the culprits in the case of ransomware, I should say. But you need that ability for data administrators, DBAs, systems administrators, IT managers to be able to look at what’s happening across the various layers of their systems and have the tools, AI machine learning-driven tools to make recommendations or to alert them to anomalies that are taking place.
Sal: And I think the critical point here is that it’s the CI component, the Continuous Intelligence. It is not just doing this once. It’s doing it constantly as all this data keeps streaming in. It’s analyzing it in real time and trying to make some improvements in the way you would work with this data in the past.
So one immediate example of how it can help is if you can use CI or a security system that’s incorporated CI to prioritize alerts would be a really useful way to make CI valuable to an organization. So rather than have the entire security or SecOps team trying to sort through everything and figure out where’s the big problem right now, help feed that to them and make their time more efficiently used.
The other thing is to use CI to complement the human operator by making suggestions. So that’s taking it to a higher level than simply analyzing the data, but using more prescriptive type of analytics where it forms a judgment and then decides here’s a way to try to resolve it. So that would be another way.
And I think really the big thing here is to help the human operator. Certainly, you can automate some of this with CI. So, if it sees this set of conditions, it takes this action. But more useful is when there’s unknown, to help the human operator to understand what’s happening as it’s happening, and then let them decide.
So, in examples like fraud detection in the past, there are certain conditions that you think, aha, this flag should be prioritized. This person’s trying to cash a very large check or transfer some money. But you don’t want to shut it off automatically. It may be a legitimate thing. So, get the human involved and let the CI component of this just help them do their job in an easier way.
Joe: Yes, Sal, that’s a great point. And it’s the human element, and the human interaction is extremely important. The IT department can’t do it alone. In fact, the management team can’t do it alone. You need the engagement of the entire enterprise.
Just as in a city, it’s not the police alone acting too that can catch crimes. You need citizens involved working with police and police working with citizens to help protect the community. And likewise, with an enterprise, you need employees not only trained and educated but having these tools that would show them where anomalies are occurring where potential issues are arising.
Lisa: Do either of you have anything to add?
Joe: One more thing I want to add is that it’s really important to get management and the C level on board with your security solutions and approaches.
There are too many instances of companies that will skimp on security upfront, will skimp on their security spending and investment. Assuming that, well, if an incident occurs, they can patch it up and fix it and move on. That day is passed where a security incident will just inflict some damage here and there, and then they can patch it up and go. It’s much longer than that. We see that with ransomware. And there’s no reason why ransomware should be as pervasive as it is, but unfortunately, it is.
Lisa: Great points about bringing in management and the C-level and just getting them involved upfront. Thanks Joe and Sal for breaking all of this down.
For more information on continuous intelligence, visit the CI Insights hub on RTInsights.com.