It is no news to anyone in cyber security, or information security generally, that threats are increasing, cyber security costs are escalating and managing enterprise security is becoming ever more complex. The current approach, as laid out below, is not scalable in this rapidly evolving environment.
Instead, there has to be a fundamentally new approach to how we address security. We call this User‑centric Enterprise Security: a strategy that focuses on identifying breaches in a highly user-specific fashion and ensuring the user is part of the remediation process.
Today’s security architecture is beginning to fall apart at the seams. The classic model deployed by the vast majority of significant organisations includes:
At the most fundamental level, the approach has to be correct. We gather data, we use technological means to examine that data, and thereby identify malicious behaviour that cannot be spotted by other means.
However, the current SIEM/SOC implementation suffers for a number of reasons.
SIEM technology is typically charged by the gigabyte, not to mention the physical infrastructure costs of data storage, and even businesses in a relatively steady state are increasing their SIEM usage by 30-50% per year.
Today’s attacks are increasingly well prepared, targeted and carried out by hackers who are able to carefully zone in on specific weaknesses.
The Security Operations Centre is itself a relatively new animal, fitting into the still-developing and exponentially expanding cyber security It’s hard to find well-qualified and experienced SOC engineers. When they are sourced, they are expensive and difficult to retain.
It takes substantial time for a good SOC to tune and educate a good SIEM in order to identify real problems for the enterprise. Even when the system is tuned, false positives abound. The SOC must process a large number of alerts every day, each one taking significant effort and investigation, and frequently communication with other users in the business.
Users are not engaged in cyber security and often resent the communications that do come from the SOC when trying to track down breaches.
When security teams are communicating with users, it is typically to point out where they messed up. This does not lead to a positive and supportive engagement with security.
The most frustrating aspect of the entire SIEM/SOC architecture is that it gathers a huge volume of data, the vast majority of which is harmless and most of which is repeated day after day. We need to reduce this load on the SIEM/SOC.
Alongside the increasing volume of data to manage, it’s also necessary to protect more applications and tools – which will become untenable in current platforms. Many SIEM deployments protect only some components of the cyber estate. Due to the time and costs involved, deployments are gradual and fractured, often leaving gaps due to limited resources. However, attacks can come from anywhere and the entire company therefore needs to be secured.
While the standard architecture continues to expand and suck up resources, there are large areas of technology that are not being protected.
In today’s hyper-connected, mobile‑led world, users are engaging with their business via multiple devices, from many different locations, in many different ways. They are accessing numerous applications, each containing critical information about the business: email, collaboration platforms, ERP, and CRM, to name a few.
Within each industry there are also critical applications that are industry specific, to support activities such as trading, underwriting, case management, intellectual property management, and many more.
This means that there is a critical vulnerability at the nexus where users meet applications.
There are numerous ways in which hackers can access a user’s credentials and enter their accounts silently. Even with two factor authentication, VPNs and other technologies, there are increasing numbers of man-in-the-middle attacks, targeted attacks, malware attacks and others which allow a competent hacker to compromise accounts – not to mention careless user behaviour.
Nearly all applications are managed by an administration platform which gives its users almost godlike privileges. Whether through malice or error, it is incredibly easy for privileged users to access any data or account and impersonate their colleagues – from CEO downwards. There have been many cases where the administration users have themselves been compromised, providing external bad actors with almost complete control of an organisation. Privileged Access Management platforms provide protection in some areas but cannot identify where an admin user is carrying out a malicious action.
Weaknesses in the underlying infrastructure can also result in an unauthorised access to a resource.
There are two specific vulnerabilities which are worth emphasising:
The good news is that both of these challenges can be solved.
The second problem – the vulnerability of critical applications – can be addressed by using the same basic principles of the current SIEM/SOC architecture: every application provides highly detailed logs that will reveal malicious behaviour. However, these are never activated, partly because their volume would completely flood any existing SIEM, possibly by an order of magnitude; and partly because almost no one has the skills to process and manage them.
The answer is User-centric Enterprise Security. Application logging must be enabled to track all access to accounts and any reconfiguration of these accounts. This information contains everything we need to understand whether an account has been compromised. However, we cannot process it as an unstructured data lake. Instead, a new three-pronged approach is required.
Instead of assuming everything is unstructured data, the processing can be massively streamlined if we know what the logs mean, and which logs may lead to compromised data or impersonation.
For each application, we must understand the user’s normal behaviour. Every user in a business operates differently. We cannot assume that all email users behave the same way, or that all collaboration users in the business behave We must accept that everybody is unique.
This involves looking for simultaneous connections to a user’s various different accounts from different locations; and looking for connections that do not make sense based on the user’s recent or current location.
With this in mind, it is possible to build a highly efficient system to detect malicious behaviour extremely accurately.
But there is one more key step needed for true user-centric security.
The classic SIEM/SOC architecture relies on the SOC engineer to identify the issue. Then, it’s necessary for the SOC engineer to discuss the matter with the users involved, in order to identify whether this is genuinely a breach or in fact legitimate, but unusual or new behaviour. This communication is frequently delayed, often frustrating for all parties involved and has little added value.
The alternative is to communicate automatically with the user, in a user-centric, user-friendly manner.
When a user accesses an account or application in an unusual fashion, the user knows best whether they are responsible for this change in behaviour or an attacker has breached the system. When a new delegate is added to an account, documents are shared strangely, or rights are granted to other users – again, it is the user (the account owner) who knows whether these are legitimate actions.
We MUST begin to harness this knowledge. We must provide the user with comprehensible and easy-to-respond-to information, allowing them to instantly identify the real breaches.
With this in mind, the entire user base of the company can become part of the cyber defences. Simultaneously, the scaling, cost and speed issues of the classic architecture can be mitigated.
Advantages of this approach include:
While the recipe above is certainly the way forward, it is by no means trivial. There are many ways in which this approach can collapse on itself. It is critical that we accurately identify the likely breaches. It is fundamental that the communication with the user is easy-to-understand and there is clarity on how to react. It is also crucial that the user is not flooded by frequent messages and important to engage them in the process step-by-step.
And, of course, we absolutely must retain the engagement with the SOC to ensure that there is a single place to understand all vulnerabilities in all security incidents, and to manage over organisation security.
All of these problems can be solved with the right technology and the right processes.
Learn more about IDECSI's technology to empower your users to secure your enterprise or contact our cyber security experts to schedule a live demo.