Why real-time visibility into big data will help keep networks secure

By Nick FitzGerald, Senior Research Fellow, ESET

Cybercrime continues to worsen in Australia with the Australian Cyber Security Centre (ACSC) 2017 Threat Report revealing that cyber incidents had increased by 15 per cent compared with the previous year. Furthermore, the attacks were more sophisticated and more than half were online scams or fraud, which was an increase of 22 per cent. The report also identified the lack of security in Internet of Things (IoT) devices as an emerging threat.

With threats becoming both more severe and more prevalent, businesses need to gain real-time visibility into big data to keep networks and endpoints secure. This is because organisations now have access to unprecedented amounts of data from endpoints, networks, servers, and the perimeter. The data comes from sensors and security applications deployed throughout the network. As that data has proliferated, it has become trickier for businesses to aggregate, correlate, and analyse it to reveal the best path for security. Unified threat visibility and management is the goal for organisations looking to improve their security posture.

Most businesses are still far too slow when it comes to detecting and mitigating cyber-breaches. Some reports suggest it can take an average of 146 days to detect a cyber-breach and up to 81 per cent of reported intrusions aren’t detected by internal security processes but by news reports, law enforcement notifications, or external fraud monitoring. It will be harder for businesses to complying with the EU’s upcoming General Data Protection Regulation (GDPR), which requires notifications to be made ‘without undue delay’ and where feasible, within 72 hours of the event discovery.

Network visibility is extremely crucial to complying with data breach regulations. Many organisations still don’t realise the gravity of the responsibility on their shoulders in terms of keeping people's data safe. The OIAC reported More than 60 data breaches have been reported in the first six weeks since the Notifiable Data Breaches scheme came into effect in Australia in February. Businesses that continue to miss their opportunities to remediate threats sooner are likely to suffer significant losses. This can include financial losses due to the inability to operate as normal, reputational damage from customers who no longer trust that their information will be kept secure by the organisation, the direct costs associated with getting infected systems cleaned up and back in service, and potentially heavy fines under the GDPR.

However, while most business leaders know they need to move faster to combat breaches, they’re hampered by a lack of resources and visibility.

In other words, while there is plenty of information available, the key challenge is being able to analyse that data effectively.

For example, network defenders monitor and detect threats as they attempt to pass through the network. Network packet capture creates terabytes of data every few hours, which makes it practically impossible to separate the useful data in real time.

Endpoints also generate data, albeit with a different structure and nature, which means that data needs to be analysed differently from network data. Availability data is different again; it monitors the system health of the enterprise and can easily give false positives on harmless activity. Separating the useful data from the extraneous is complex, and it’s not practical or reasonable to expect the IT security team to be able to do this manually.

While it may seem logical to simply aggregate all that data, the reality isn’t quite so simple. Turning that data into insights that can be acted on can be a herculean task due to the amount and complexity of the data involved. Taking too long to manage and analyse this data just adds even more days to the company’s mean time to detection (MTTD) and mean time to remediation (MTTR).

This is where companies can deploy big data solutions to cope with these security challenges. A big data solution harnesses the power of clusters of machines that can scale and ingest the data no matter how much there is. The ability to search unstructured data to gain useful information is essential. It can be augmented by devices that can eliminate useless data that eats up analysis time, as well as identify false positives. These systems can usefully and reliably reduce the amount of data in question before human intervention is required.

Once that’s done, the system must include reporting capabilities so that IT and security personnel can quickly and easily understand what actions to take to secure the enterprise. Approaching security this way minimises the time team members spend on manual or repetitive tasks and lets them apply their creativity to more valuable activities such as strengthening the network’s defences or combatting specific attacks.

Visibility is therefore the Holy Grail for network security. It drives the ability to access, analyse, and act on data in real time, which is essential for bringing down MTTD and MTTR. Being able to see all the information through a unified interface saves time and makes it easier for security staff to see what they’re dealing with. The solution should deliver visibility into zero-day threats, advanced persistent threats, and botnets, while also adjusting the policies and configurations of endpoint security products.  

By focusing on smarter ways to gather all the relevant data and analyse it using big data tools and techniques, businesses can gain the unified visibility they need in real time. This lets them act faster to remediate threats to the network and therefore can be a game-changer for cybersecurity.