The precision of security undermined by a failure to correlate
If Paul Newman’s Cool Hand Luke character were to address the security industry, his opening line would likely be: “What we have here is a failure to correlate.” Today, one of the major deficiencies affecting security is not a lack of data or even an aggregation of data, but the central problem is one of correlating data and connecting the dots to find otherwise hidden traces of attack activity.
While many organizations have a SIEM, the role it plays is primarily in collecting data, mostly logs, for application visibility and incident investigation. The SIEM is nearly synonymous with log management and compliance. Some organizations have been successful in aggregating other data sources in a SIEM, but collection is one thing and correlation is another. In fact, adding these sources of data may be counterproductive unless there is correlation to make sense of it. Without correlation, organizations may be simply drowning in data.
According to a recent study by Enterprise Strategy Group, security professionals cite a combination of problems or deficiencies that diminish their capacity to effectively uncover and stop attacks:
- 70% suffer from data and alert fatigue
- 75% from visibility gaps
- 75% from tool failure
- 75% from a gap in people skills.
The problem is not necessarily a lack of data, although plenty of companies may not have tools or systems in place to be able to effectively monitor blind spots and certain parts of their attack surface. For the most part, though, the problem is not even having the right tool. The real culprit is a lack of data correlation leading to true, high-priority, actionable alerts.
The idea is to have a system produce such alerts that can specifically warn over-worked, under-staffed security teams of real, consequential attack activity—a smoking gun—early enough to curtail or minimize damage. This is a capability that most security professionals consider critical. Vendors have taken this charge, but their solution is often to build a point solution.
Perhaps such a solution does offer better fidelity, but it likely will not be able to cover an entire attack surface—from cloud to endpoint to data center networks. Security vendors typically want to “own it all” and often disdain or distrust data “not invented” by them. The reality is that complete security coverage and full visibility likely require multiple solutions with different competencies. Much of this already exists.
The real failing is in the lack of combining these sources and then correlating the data to provide an effective big picture. This picture is crucial in discerning a real, significant security event. In addition, there is the question of leverage. Security teams would like to gain leverage of their existing security tools and systems and get them to work together. Perhaps, on its own, a system may become limited value, but when its data are correlated with other security data, it may become far more valuable. Adding value to a sunk investment is important and a consideration of security teams.
Correlation is both a concept and a function. Ideally, a correlation capability takes relevant data from various tools – each focused on their particular portion of the attacker surface – and correlates the findings through an automated analysis to find things that matter. False positives must be kept to a minimum, with accuracy working together with relevance to point out what is important.
Correlation is generally a product of a specialized security system. It is in effect a security silo buster and an analysis platform that incorporates machine learning to create meaningful, valuable alerts quickly and automatically. Gartner calls this new category Extended Detection and Response (XDR), giving a nod to other detection and response systems, such as Endpoint Detection and Response and Network Detection and Response, but also pointing out that a go-between is critical to tie these systems together. Individually such systems have plenty of value, but correlating their findings provide far greater value.
Success of these XDR tools is contingent on ingesting enough data from enough sources and then transforming these separate data points into useful, accurate intelligence. Data sources should include logs from various networking and security systems, network packets, user details, etc.
An XDR tool could uncover attacker activity by, for instance, seeing that the SIEM has flagged a log of a user accessing a SQL database at a time of day that is atypical and combining that with data from the Network Traffic Analysis tool that the user is sending traffic outside the country and data from the User Behavior Analytics tool that shows the user has not used this particular application at this time of day with this large a data rate. Taken together, the data paints a picture of an attack event. The individual data points on their own may not carry enough significance to warrant alarm.
The combination of uniting security tool silos while eliminating gaps that would otherwise cause blind spots and connecting the dots is a powerful one. Most attackers have been able to thrive because organizations have lacked this capability. By bringing together data from security silos and carefully analyzing it with applied machine learning, organizations can gain an upper hand on attackers and close gaps that have been exploited for years.