Automation and user behavior analysis crucial to adaptive security

 It is time for enterprises to take a page out of their adversaries’ playbook by

 It is time for enterprises to take a page out of their adversaries’ playbook byWith enterprises going through digital transformations that bring fresh technologies such as big data and IoT into their traditional IT infrastructure, protecting the network and the digital assets has become a complex affair.

To crack into companies’ vastly expanded attack surface, cybercriminals are now using automation to launch sophisticated cyberattacks, according to Wickie Fung, general manager for Hong Kong and Macau, Palo Alto Networks.

Automation is a good measure of adaptive security

Fung noted that it is time for enterprises to take a leaf out of their adversaries’ playbook by switching to an adaptive security approach which would vastly increase the use of automation in fighting cyber threats.

“Adaptive security helps organizations to automate routine cybersecurity responses, and free up the time of human specialists from the most complex incidents. Cybersecurity teams can save an extraordinary amount of time and effort through automation and have the ability to take proactive, accurate action before cyberattacks lead to data loss or damage,” Fung said.

According to Garrick Ng, chief technology officer, Cisco Hong Kong, Macau and Taiwan, “Time to detection” or TTD, the window of time between a compromise and the detection of a threat, is an important index to measure how “adaptive” a security strategy is.

“A recent report indicates that US companies take around 200 days to detect a data breach. We at Cisco have decreased the company’s median TTD to 3.5 hours through automation and integration,” he said.

Ng added that once a threat is identified, all other Cisco solutions will automatically protect their customers against the same threat, such as in the case of WannaCry in May and Bad Rabbit in October.

“On day one of these outbreaks, Cisco AMP and Umbrella were already able to immediately block the threats without any human intervention,” he recalled.

Ng observed that when a company decides how “adaptive” they would like their security strategy to be, they usually have to strike a balance between the user experience and the risk of a security threat.

“If security threat is top of mind, full automation is likely to be adopted because the company is very strict in terms of any potential risk. To them, a machine must be quarantined once it is suspected of carrying potential risk, even if the machine belongs to a member of senior management,” he added.

Meanwhile, Fung said organizations should adopt a top-down approach to execute an adaptive security strategy and prioritize this in alignment with business directions.

“Security needs to be adaptive anywhere where IT departments cannot control an organization’s information and technology boundaries,” he said.

“This approach involves automation and taking a security platform approach to natively integrate security components. This enables a consistent security posture, provides the same protection at the endpoint, in the data center, on the network, in the public and private clouds and across SaaS environments,” he added.

Focus on the data and the user

Palo Alto Networks believes that companies must evaluate their current investment on security postures and look for integrated solutions that can deliver adaptive security architecture.

“They must insist on complete pervasive security visibility in their environment including users, applications, data and threats,” Fung said.

“Evasive zero-day and malware can be prevented automatically by applying threat intelligence to prioritize the alert, analysis and hunting workflows can be accelerated. User Behavioral Analytics (UEBA) can work alongside existing security deployments,” he added.

Using UEBA systems enable the companies to fix their sights on user behavior and how data move in and out of their network.

“Understanding the data movement within the organization would be a good start but it is also important to understand how it interacts with users. By combining the two, it will give organizations for the first time, a glimpse of not only how data moves and what users do, but also why they did that – the nature of human intent behind these movement and behavior,” said William Tam, director of sales engineering – APAC, Forcepoint.

He added: “Only when your organization can understand the human intent behind each data movement and user behavior, you can adjust risk postures of a given user or a business process and respond accordingly. And that’s what adaptive security really means.”

Tam went on to offer a concrete example: “How often does an employee in the finance department send out an Excel spreadsheet to a public webmail account? Every day? Now imagine, what if you realize that the spreadsheet contains the business forecast for the next quarter? Still seems legitimate? And what if you realize that this employee has Internet access activities 3am every day for the past three months? Does all this sound fishy to you? All these would fly under the radar of a traditional threat-centric security model.”

But in a risk adaptive security model with the visibility of user behavior and data movement, every bit counts, Tam pointed out.

“Every suspicious behavior would contribute to the increase of risk score of that employee until it hits a threshold where immediate action will be taken. In a truly risk adaptive security architecture, it is not just a big red balloon that would pop-up on the dashboard, but the security system should be able to adapt and change the security enforcement option as it evolves, even before the incident response team steps in,” Tam said.

According to Forcepoint, many companies now on their adaptive security journey start with understanding the movement of data and the rhythm of user behavior.

“In fact, many organizations are halfway there – they may have tools in each area but they just don’t talk to each other. It’s like you have two eyeballs but you never use them together. So only when you can use them together, you can see the true depth of the risk posture within your organization and start making sense of it,” Tam said.