There are 40 times more bytes of data in the digital universe than stars in the observable universe, and this cosmos of data is growing every second, with every email we send, every document we save, and every social media post we publish. If you imagine the night sky with 40 times the number of stars than you can currently see, it’s easy to understand how such large volumes of data can be overwhelming to security teams.
Not only are company teams dealing with massive amounts of business data, but they’re also dealing with security-generated data coming in from all manner of infrastructure and application sources that their organization’s analytics tools just aren’t equipped to deal with. This data isn’t just generated by traditional business functions anymore; it also comes flooding in from the digital cloud-based client applications in both structured and unstructured formats. When faced with so much disparate data, locating a security incident and responding to it is like finding a needle in a haystack. Except that you haven’t even stacked the hay yet.
To find out more about how organizations can clarify their security operations and respond more efficiently to incidents, we spoke to Chris Jordan, CEO and Co-Founder of Fluency Security, and Al Wissinger, Fluency’s Managing Director of Strategic Solutions. Jordan has been in the security space for more than 30 years, starting in emergency response and network operations before moving into research and product development. Wissinger started his security career working on cryptographic and communications technology in the United States Navy before moving directly into the tech security market, where he’s spent the last 40 years.
Fluency Security was launched in 2013 as a SIEM solution designed to help organizations collect and store data from various architectures and analyze it in a meaningful way in order to efficiently detect and respond to threats. One of the biggest challenges that organizations face when it comes to incident response is in knowing where to start – that’s why, in 2016, Fluency Security pivoted to a User and Entity Behavior Analytics (UEBA) method of streaming analytics that enables tech teams to analyze data from all sources as it comes in. This UEBA technology helps avoid alert fatigue by reducing false positives and allows organizations to more efficiently focus on real threats.
Businesses Must Analyze A “Staggering” Amount Of Data
One of the biggest challenges that organizations are currently facing is in how to manage and analyze their data and, Jordan says, in determining what actions to take based on that analysis. This comes as a result of how rapidly technology has evolved in recent years.
“Infrastructure is different to how it was 20 years ago. Companies are realising their infrastructure is no longer a controlled company perimeter; it now includes external networks, IaaS, SaaS, home workers and hybrid workers, so the amount of information coming through is staggering,” Jordan explains. Over the last year in particular, organizations have had to adapt to two major infrastructural changes simultaneously: the adoption of cloud technology, and the shift to remote working. “Companies are struggling with moving into this larger environment,” Jordan says.
Particularly affected by these changes are SMBs and upper-medium sized organizations with 1000-1500 employees, Wissinger adds. This is due to these companies not being prepared to work this way, especially with employees using their own computers. The introduction and enhancement of regulations designed to ensure that all companies are working securely under these new conditions is an additional burden. “A lot of these [SMBs] have no cybersecurity infrastructure; they simply have teams that are trying to manage the business. Add in these companies trying to obtain their SOC2 compliance in this broadened digital environment, and they are failing their audits substantially.”
The solution to this challenge, Jordan says, is investing in a Security Information and Event Management (SIEM) solution that can help an organization to organize the data coming in from this variety of environments. Using the UEBA approach provides complete visibility across organizations, ensuring that users are associated with actions and anomalies are detected no matter what source the data is coming from. Once an anomaly has been correctly identified, the security team can then action it – without having had to wade through hundreds of alerts to pick it up in the first place.
Let’s go back to our haystack. The UEBA-based SIEM gathers the organization’s hay (data) into an organized stack and finds the needles via threat and anomaly detection. It then passes the needles over to the security team to deal with in their incident response.
“You can describe it in three words,” Wissinger says. “Visibility, detection and response.”
Working From Home: Monitoring A Cloud-Based Infrastructure
Ove the last year, the Coronavirus pandemic has greatly accelerated the worldwide trend of cloud migration. Organizations who had been planning to adopt cloud ways of working had to implement those plans quicker than anticipated, and others who hadn’t yet put together a migration strategy struggled to equip their employees to securely work from home. This often meant moving servers into the cloud and then managing and monitoring them as though the shift hadn’t occurred, Jordan says.
“They put a machine in an AWS container and grab the audit logs just like they used to. But the problem is that the environment isn’t operating in the same way, so they don’t understand how a person is using their machine all the time.”
When first adopting new technology, the average administrator doesn’t yet know where to find their logs or how to use them. “It takes a while for the industry to get its expertise. We include rules in there from our own expertise that accelerate the organization’s understanding of their own logs,” Jordan says.
Having this understanding is crucial when a large percentage of the workforce is remote, because employees don’t always use their devices in line with corporate use policies when they aren’t directly in an office environment. They might, for example, use their work laptop to stream a series they’re watching, or allow their children to play games on it, which could lead to the accidental download of malicious content.
“By deploying [a SIEM] solution with an EDR (endpoint detection and response) component, we can rebuild employee activity outside of the corporate perimeter and give the company their visibility back,” Wissinger says. “It’s critical for the security team to have visibility into what each employee’s habits are.” This visibility then enables the security team to better respond to anomalous data.
“Business Drives Security”
As our data cosmos continues to expand and we move forward into a world where our technological infrastructures have to grow to keep up with the masses of data we’re producing, Jordan says that it’s important to remember that security and business go hand in hand.
“Business drives security. The business has to be proficient and make money, so the successful people are going to be the ones who absorb the new ways in which they’re doing business and secure the way they’re making money, not the way they think people should work.”
A lot of organizations sacrifice security for a higher profit, and that’s never going to change. But the way that organizations focus their security will become more human-centric, Jordan predicts. “It’s not BYOD anymore; it’s bring your own home. You’re letting the entire house and family into your infrastructure, so it’s important to focus on securing people and entities, rather than IP addresses.”
“A CIO is not a security person who does business; they are part of a business that needs to be secure.”
This predication is further enhanced by the sophisticated attack surface that many organizations are currently facing. Ransomware attacks increased by 50% at the end of 2020 compared to the first half of the year, and we can only expect this trend to continue. With that in mind, it’s important to remember that these attacks don’t just result in a loss of data, Wissinger says, but also a company’s business operations. When these suffer, so to do the organization’s revenue and reputation.
“It’s really problematic from SMBs all the way up to large corporations,” Wissinger says.
Set Objectives, Build Your Infrastructure, And Test, Test, Test!
There are three key stages to implementing a security infrastructure, Jordan and Wissinger say. The first of these is setting our security objectives. “You have to have a reason why you’re doing it, and clearly understand that reason,” Jordan explains.
Secondly comes building the infrastructure itself. For this task, Jordan recommends that organizations invest in third-party solutions, rather than trying to build everything on their own. “The IT professionals securing the organizations shouldn’t focus on creating everything from scratch, because they need to learn fast and they need to implement,” he says. “They need to be able to take advantage of the products and intelligence already out there.”
One reason for this is to leverage existing knowledge into the threat landscape itself, but also how to build an infrastructure to successfully combat that landscape. The key to that is organization. “Businesses need to stop treating security like a garage that you throw everything into and eventually have to spend days cleaning up. Security needs to be organized so that you aren’t wasting time trying to work out whether there’s a problem.”
Another useful thing to bear in mind when creating your infrastructure is the regulatory body of your industry, and the guidelines they set for auditing your security. “You need to use frameworks like NIST or the ISO 2700 to build your infrastructure,” Wissinger says. But both Jordan and Wissinger warn against relying solely on meeting a checklist for strong security. “You could make a pillow out of concrete and it might check all the boxes in the instructions, but it wouldn’t be a good pillow!” Jordan illustrates.
Because of this, it’s crucial that organizations regularly test their security after building it.
“Test your mitigation plans and how you handle incidents or breaches,” Wissinger says. And while doing that, it’s important to keep your original objectives in mind, Jordan adds: “You’re doing it to secure your network to secure your business, so that your business can make money.”
Thank you to Chris Jordan and Al Wissinger for taking part in this interview. You can find out more about Fluency Security and their UEBA-based SIEM at their website and via their LinkedIn profile.