The evolution of threat detection and Big Data
Mark Gazit is the CEO of ThetaRay, a specialist in threat detection. In this interview he talks about leveraging Big Data to secure networks, the advantages of using math-based anomaly detection as well as the evolution of threat detection in the past decade.
How is Big Data changing the way organizations approach information security?
If it was not as salient a decade ago, nowadays organizations understand the immense value locked inside the data they generate, and the fact that they can leverage it to extract security insights that can help them manage risk and crisis events.
Big data is changing the way organizations approach information security by enabling them to simplify and reduce the costs linked with a smart security strategy. With big data, organizations like banks and critical infrastructure sectors don’t need to chase those elusive perfect-fit solutions and try to jam them into what they already have in-house. Rather, they can use what they already have (their own data) to secure what’s important to them (their infrastructure, IP) without having to use multiple solutions or even fully understand the threats they should be wary of (the unknown unknowns).
If the old security approach involves layering security solutions one on top of the other, creating a stitched-together clutter that fights to make sense of risks and attacks, the Big Data approach is the opposite. It’s about creating a 360° view of the organization, simplifying situational awareness on a level that separate layers can’t begin to achieve.
Instead of counting on a collection of installed solutions, organizations relying on Big Data can benefit from the breadth of sources they draw from, using them to uncover threats faster and more accurately.
What are the advantages of using math-based anomaly detection?
Using math-based anomaly detection takes the guesswork out of threat detection – for good.
Methods that base anomaly detection on known elements are inherently flawed by their constant need to update their “knowledge.” Whether it be fathoming new rules and patterns, feeding in signatures or using heuristics, the update cycles are a constant liability. Worst of all, they are incapable of detecting new threats.
Conversely, math-based anomaly detection does not have to know what the threat might look like. It simply looks for irregularities in data points compared to the momentary normality of the whole. It is agile, dynamic and evolving, resulting in threat detection that is accurate, rapid, and laser-focused – all while yielding extremely low false-positive rates.
How has threat detection evolved in the past decade?
The evolution of threat detection has been a cat and mouse game for the past two decades – a perpetual arms race that has been extremely reactive to the methods and tools used by criminals.
Nowadays, security innovators are working to move away from this reactive situation, a task that proves much harder to achieve than it is to strive to.
For the most part, threat detection methods used to be based solely on predefined elements. Solutions were equipped with things like whitelists, blacklists, signature lists, rule lists and patterns, and then cyclically updated the minute a new threat reared its head.
The methods have since evolved in several ways, including the combining of different elements (ex. Next Gen Firewalls), the prediction of malware mutation, and the application of rule-based detection to Big Data. They have also extended into new realms like biometrics, behavioral analytics that distinguish between legitimate and suspicious users, and now anomaly detection, which is increasingly being viewed as the most effective solution toward ending the threat evolution arms race.
What can the industry do in order to stay in front of the rising trend of targeted attacks?
Staying ahead of targeted attacks requires the implementation of a few key concepts:
1. A definitive ability to move away from focusing on known elements. Threats and adversaries that launch targeted attacks will forever evolve to create new unknowns. It is futile to react to each one individually.
2. An ability to secure holistically, rather than just securing one type of environment or data silo. To expose the orchestration of an APT attack, it is necessary to unify the infrastructure and see the entire picture at all times. This translates into being able to respond to risks in real time, even if a specific threat has never been encountered before. A recent study reveals that 67% of organizations are facing a rising number of threats, but over 37% have no real-time insight into cybersecurity risks. This means that over a third of organizations are much more vulnerable than they can afford to be.
3. An ability to expedite remediation. Using Big Data can be a daunting task for data scientists and dedicated analysts. The manual querying and compiling of all relevant data points is extremely expensive and not scalable — and data is only getting bigger. Automating the detection and forensics gathering phases is like shooting an arrow into the bulls-eye of the problem, pointing remediation teams to the precise source of the issue. At the end of the day, averting impact to the organization is the ultimate goal and measurable success factor of its security posture.