Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Detection and response, where to begin

Kacy Zurkus | Sept. 2, 2016
Industry leaders join together at the MASSTLC conference to talk about detection, incident response, and making security a collaborative exercise

As the threat landscape continues to evolve, cybersecurity experts rely more on detection and incident response, making security a collaborative exercise. But, where do they start? 

Many security executives used the MASSTLC Conference as a launching point.

Chris Poulin, research strategist of X-Force at IBM, said, "The problem is that it takes them understanding their environment. How much is too much data being downloaded or uploaded? SIEMs look at thresholds to understand policy and compliance, but they also have to have environmental knowledge. Users don’t typically up/download certain size files."

Understanding their environment requires the manpower that most enterprises don't have right now. So how does a security team gain an understanding of their environment when they are inundated with alerts and spending their days putting out fires?

"There are two concepts. Asset inventory and data discovery. Those two concepts are closely allied. They need to know what systems they have, what applications, who are the owners of those applications, who are the authorized users, and who has what rights to the applications," Poulin said. 

Before applying policies, they need to first know their inventory and access controls. "What data lies on it? Where is the PCI data versus the source code data or financial data. They need to have situational awareness," Poulin said.

User behavior analytics, though in use for a very long time, have come into fashion in the last few years because of the scale at which machines are able to aggregate and correlate data.

"Security teams need to know the activities in their environment. How much data is transferred from your email server or the server that stores finance data or source code or whatever is most important to the business? Which users use those?" Poulin said.

Until they understand the patterns in their activities, they can't create rules and enforce that behavior.

Sure, in a smaller company, they might be able to identify the various thresholds of all of their users, but how do they do that in an environment with over 50,000 employees?

"Computers watch all these axes," Poulin said. The promise of machine learning is that the machines can ingest volumes a human can’t, but Poulin said, "It needs to be trained. It will always be reliant on a human for context. You feed it enough context, you tell it what context is, what data and the context in which it is happening."

As with any technology, though, machine learning is another one of the many layers in the entire security infrastructure. "It’s an additional layer on top of a SIEM that augments and helps to tune the system," Poulin said.

CISOs struggle with determining which of those layers are most important, and when  there are so many layers that the technology becomes redundant or inharmonious.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.