Embed Size (px)
Citation preview
1
CYBERSECURITY ANALYTICS AND OPERATIONS:
THE NEXT GENERATION IS NOWA WHITE PAPER BY UNISYS
2
The Crux of CybersecurityTime-to-action is the crux of cybersecurity analytics and operations. With sophisticated threats launched every day, the influence of the dark web, and hackers employing cutting-edge technology, businesses must be able to predict, respond, and remediate threats faster than ever before.
The 2017 ESG Research Report Cybersecurity Analytics and Operations in Transition,1 sponsored by Unisys and other technology vendors, provides hard data on the cybersecurity challenges, objectives, and opportunities of businesses today. A total of 412 IT and cybersecurity professionals responsible for evaluating, purchasing, and managing cybersecurity analytics and operations processes and technologies for their organizations participated in the survey. The participants represented large midmarket (500 to 999 employees) and enterprise (1,000 or more employees) organizations in North America and Western Europe, and came from multiple industry verticals including manufacturing, finance, and retail/wholesale.
The statistics generated by the survey are more than numbers – they tell a clear story of where cybersecurity analytics and operations are today and where they need to be tomorrow.
Why Cybersecurity is More Challenging Than Ever BeforeAll stories center around tension and conflict – and the cybersecurity story is no different. An overwhelming 71% of respondents affirmed that cybersecurity analytics and operations is more difficult today than it was just two years ago. The top three most cited reasons for this increased difficulty are:
• The rapidly evolving threat landscape (26%). Organizations have to contend not only with traditional malware – now available on the open market – but also with an entirely new evolution of attack vectors that use machine learning and algorithms. For example, an algorithm can be created within malware so that the external IP address of a botnet command center constantly changes. If a company is using a rules-based system, such an attack has a high likelihood of being ineffective since it is almost impossible to write a rule to identify and address such a complex attack.
• The recent changes in regulatory requirements (19%). Requirements for highly regulated industries have become much more rigorous over the past two years, making security analytics and operations more difficult. These regulations are not only concerned with external bad actors who may be attempting to exfiltrate data, but also with internal users who
– through malicious intent or simple ignorance – may store or share information inappropriately.
• The increased volume of security alarms (19%). The volume of security alarms continues to rise exponentially. If organizations are not able to discern which are true concerns and which are false positives, they become stymied in their efforts to ensure cybersecurity.
These challenges are impossible to overcome through traditional means because there is too much data, too few resources, and too little time.
Too Much DataOver half of the respondents to the ESG survey reported collecting 6TB+ of security data monthly. Such a colossal amount of information is impossible to sift through using rules-based tools and manual investigation.
Compounding the problem, the data is coming from multiple point solutions, with often little or no correlation of data between the different systems. Sixty-seven percent (67%) of survey respondents agreed or strongly agreed that their security analytics and operations effectiveness is limited because it is based upon multiple independent point tools.
Too Few ResourcesOrganizations are having difficulty with both the number of resources they have and the skill level of those resources. According to the report:
• 58% of respondents affirmed that their security analytics and operations effectiveness is limited because of employee skills gaps
• 54% stated that their organization needs to improve with regard to the skill levels of cybersecurity analytics and operations staff
• 62% planned to increase their cybersecurity analytics and operations staff by 10% or more
• 81% of those organizations with a planned headcount increase of cybersecurity analytics and operations staff believe recruiting and hiring additional staff for cybersecurity analytics and operations is difficult
These statistics are sobering, especially as the cybersecurity workforce shortage is estimated to hit 1.8 million by 2022 – a 20% increase since 2015 (Source: Global Information Security Workforce Study). The ability to find new resources is not going to get easier any time soon.
1 All statistics in this paper, unless otherwise noted, are from the ESG Research Report, Cybersecurity Analytics and Operations in Transition, July 2017.
3
Too Little TimeThe number one cited objective by survey participants for their organizations’ threat intelligence program was to improve risk management efficiency and effectiveness (33%). Speed is essential to combat the innumerable attacks being levied against companies worldwide.
It is literally impossible, using traditional security tools, to throw enough manpower into cybersecurity analytics and operations to manage the volume of data in the tight timeframe in which it must be analyzed. The only way to resolve this dilemma is to change how cybersecurity is handled by leveraging advanced analytics, automation, and machine learning to enable organizations to do more in less time with fewer people.
Advanced AnalyticsThe vast majority of companies, 81%, are making cybersecurity a high priority in their organization, and 78% have a formal plan and funding in place to improve security analytics and operations this year. There is a lot of energy fueling the drive for increased security, with 72% of respondents affirming that business management is pressuring the cyber security team to improve security analytics and operations.
Of the organizations who are currently consolidating and integrating security analytics and operations tools, or planning to do so, the following approaches were the most cited:
• Integrate network and endpoint security analytics tools (37%)
• Integrate security analytics and operations tools closer with identity management (30%)
• Implement some type of common data management platform to collect and process all distributed security data (28%)
• Integrate multiple data sources into a common SIEM (27%)
• Use APIs provided by security technology vendors to write code for product integration (25%)
All of these approaches leverage advanced analytics to correlate data, analyze it, and make it actionable in real time. This is vital because, with alerts pouring in, personnel need to know where to focus their time based on the context of an alert and the level of risk it represents.
Actualizing these plans will, of course, require appropriate budgeting. Eight-two percent of respondents concurred that their organizations would increase spending on security analytics and operations in the future.
4
AutomationAutomation augments the power of advanced analytics by reducing the amount of human intervention required to prevent and remediate cyberattacks. Human investigation and intervention will never be completely done away with, but automation can relieve the load and allow personnel to focus their attention and efforts only where necessary.
Companies recognize this fact, with over half of the organizations surveyed currently engaged in automation for security analytics and operations. The top three most cited priorities for automation are:
• Integrate external threat intelligence with internal security data collection and analysis (35%)
• Add custom functionality that sits above existing security tools (30%)
• Automate basic remediation tasks (e.g., update endpoint and network security controls with latest IoCs, etc.) (29%)
For example, automation could be used to immediately quarantine a machine in the event of suspicious behavior. It is not necessary to have a person approve such an action if there is a high probability that the alert is valid based on known inputs. However, if a critical application server affecting hundreds of people is involved, an automated system may escalate the alert to a human investigator in light of the impact a quarantine decision would have.
Machine LearningMachine learning is a cutting-edge field within computer science
– a type of artificial intelligence (AI) that enables computers to constantly optimize and improve without human intervention. Using algorithms that iteratively draw lessons from data, machine-learning systems identify patterns and find hidden insights without being explicitly programmed.
Machine learning algorithms are often classified by supervised or unsupervised learning:
• Supervised learning trains models by using data, which has a known result, often tagged by humans. For example, a model might shut down an individual’s credit card automatically if a charge comes in for an unusual amount or from an unusual location.
• Unsupervised learning trains models by using data that has no prior designation of results. The models explore relationships and can identify new answers and findings as data streams evolve. For example, if a botnet command center’s IP address is constantly changing, an unsupervised model would not need to know that certain IP addresses are suspect. Simply based upon the behavior (e.g., an internal IP is repeatedly attempting to connect to an external IP, but the external IP is changing frequently) the model can recognize the risk and respond accordingly.
5
Advanced Analytics, Automation, and Machine Learning to Transform Your BusinessUnisys’ Advanced Analytics platform incorporates
a library of machine learning algorithms together
with a suite of proven methodologies and
processes that analyze and extract important
details and insights from your underlying
structured and unstructured data.
Unisys leverages a complete machine-learning
toolkit to enhance and develop new algorithms.
Among others, this toolkit includes: Naive Bayes,
Network Graphing, and Support Vector Machines.
Such algorithms are the foundation of advanced
predictive analytics. The system also generates
prescriptive reporting – analytics that not only
forecast future conditions, but actually recommend
future actions for maximum decision support.
Unisys’ Machine Learning Capability facilitates
predictive analytics and incorporates prescriptive
activities to help organizations transform and
optimize current business processes to new levels
of success.
Machine learning enables better decision-making by incorporating subtle nuances in data that may be less apparent when using more traditional linear relationships as models. Plus, machine learning empowers companies to not only assess current conditions, but to anticipate future circumstances and position themselves accordingly.
Organizations are very interested in machine learning, with the primary drivers for deployment being to accelerate incident detection (29%) and to accelerate incident response (27%). However, there is currently a wide disparity in machine learning maturity. Only 12% of respondents stated that their organization is leveraging machine learning technologies for security analytics and operations extensively.
The Next Generation of Cybersecurity The factors that make cybersecurity so challenging are not going to change or lessen. The threat landscape will continue to evolve. Regulatory requirements will continue to become more rigorous and detailed. The volume of security alarms will continue to climb.
But companies can meet these challenges by turning to advanced analytics, automation, and machine learning. These tools transform the flood of data from overwhelming to actionable. They make it possible to combat threats that have never been seen before or even conceived of. They provide new levels of insight into an organization’s critical assets and vulnerabilities.
Together, these three tools can take cybersecurity teams to an entirely new level of hunting, empowering them to take a proactive stance rather than a reactive one. This is the next generation of cybersecurity analytics and operations. It is here. It is now.
For more information,visit: www.unisys.com/cyber-analytics
or contact us at: [email protected]
Follow Unisys on Twitter and LinkedIn
Mark Loucks is a senior data scientist with Unisys and serves as Principal Practice Director for our Cyber Security Intelligence group. He also has responsibility as a member of Unisys Advanced Data Analytics leadership team to promote the advancement of data intelligence and automation to solve some of our client’s most difficult problems.
An entrepreneurial and visionary executive with 25 years of experience in digital technology, advertising, marketing, strategy, product development and growth. His leadership, expansive technical knowledge, and market development capabilities have helped organizations experience significant growth. Working across multiple verticals internationally including Retail, Financial Services, Automotive, Technology, Travel, and Telecommunications.
ABOUT THE AUTHOR
Unisys Thought Leader Mark Loucks
For more information visit www.unisys.com© 2017 Unisys Corporation. All rights reserved.
Unisys and other Unisys product and service names mentioned herein, as well as their respective logos, are trademarks or registered trademarks of Unisys Corporation. All other trademarks referenced herein are the property of their respective owners.
Printed in the United States of America 08/17 17-0498
