A recent survey of federal, state and local agencies by Meritalk tells a very interesting story. Five key facts stand out:
- 68% of cyber pros say their organization is overwhelmed by the volume of security data and 76% believe their security team is often reactive instead of proactive.
- 78% say at least some of their security data goes unanalyzed due to a lack of time and/or skill from their team.
- 9 out of 10 cyber pros say they cannot tell a “complete story” with cyber security data.
- While 70% of cyber pros say their organization can monitor streams of cyber security data in real time, fewer can analyze the data and;
- Root-cause analysis is successful only 49% of the time.
These five facts tell an interesting story. Cyber security professionals believe that all data is security relevant and should be looked at as part of a security investigation. However, the cyber security skills shortage affects many information security teams working at government agencies. There aren’t enough good people. Senior analysts are overwhelmed, concerned about missing clues and getting to wrong root cause analysis. The amount of manual work required to properly prioritize a thousand or more critical alerts means possibly making mistakes and not getting to the right ones in a timely manner. They are bombarded with mountains of data 24/7.
Security teams don’t feel confident about understanding and telling a complete, accurate story about what led to a data breach and how it occurred.
Security teams have to decide to not purchase any system that don’t help them find the problem and make them operationally efficient. User behavior intelligence solutions need to accomplish both goals:
- First, they start at the end of the usual security investigation process by constantly learning and defining normal behavior patterns of access and access characteristics for credentials. This means the system starts with data that goes unanalyzed and uses it to define what’s abnormal.
- Second, the system sifts through all the noise looking to assign alerts to credential activities. It constantly asks, who has had an active session on a system associated with a security alert and associates it to them.
- Finally, It creates a user session timeline from log-on to log-off, providing a complete story of what the credential did while tracking attackers across identity and credential switching to various systems.
This approach provides a very needed reprioritization of critical alerts by automatically associating them with credential behaviors, indicating account takeover and an attacker is already inside the network. While a lot of data collected by the security team may be security related, user behavior intelligence solutions do the hard job of pre-selecting the data that’s most relevant to get to accurate root cause analysis.