Page 39 - index
P. 39
Detecting Cyberthreats “In Motion” Will Dramatically Improve
Detection Rates
by Daniel Nieten, Ph.D.
As the world continues to generate a flood of information, governments, businesses and
individuals understand that nefarious players are everywhere, waiting in the wings to wreak
havoc, potentially on their organization’s data assets. Whether for profit on the black market, to
undermine national or international security, or to obtain intellectual secrets, the threat of a
cyberattack is real and inevitable, making cybersecurity one of the most important issues of our
day.
Yet despite massive amounts of spending on cybersecurity solutions, the frequency and
complexity of breaches continues to increase and the cost in the aftermath of a breach has
skyrocketed. With increasingly sophisticated blended threats, combined with massive data
volumes that create scalability and speed issues, it’s understandable why the ability to detect a
breach has been so elusive, and why detection times are so long. According to security firm
Mandiant’s 2014 Threat Detection Report, the median number of days that a threat was present
on a victim’s network before detection was 229 days.
Simply put, organizations don’t know what they don’t know, they can’t see what they can’t see,
and as a result, they cannot detect—much less respond to—an anomaly or potential threat that
they don’t even know is either coming at them or already in their system.
Immediate threat detection requires the ability to take in all the information emanating from an
organization’s many data feeds throughout its entire enterprise infrastructure, all at the same
time, all the time, and bring it into one simplified, unified view. Then, that data must be acted upon
when it initially becomes available and while it’s still moving in the system—or what we call “data
in motion”—in order to surgically pinpoint and immediately bubble up to the surface a potential
anomaly or behavior that could pose a threat.
Technology that is architecturally designed to process “data in motion” is able to ingest
everything—i.e. all the data along with its context, from all of the disparate data feeds found in a
typical organization’s IT infrastructure: routers, firewall, IPS, antivirus, SIEM, syslogs, netflow,
switches and more. Then, leveraging advances in artificial intelligence and machine learning,
the analytics are performed on the fly, creating correlations that can identify a potential threat to
the network. Every component of such a system is created to act on the data before it ever
comes to rest.
This is very different than the majority of the systems in use today, which rely on an “analytics-
after-storage” model where data is gathered and stored in a database. Then, analytics is
performed in batches, but after the data has been persisted —or has come to rest.
39 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
