Tackling cyber security as a collaborative team
Matthias Maier, Security evangelist, Splunk
Cyber security has long been seen as a technology problem. Speak to any security professional and the proverbial ‘needle in the haystack’ often comes up when sifting through the different components in the wake of an attack. Barely a week goes by without large corporations hitting the headlines as a result of a malicious attack, and in this landscape we need to be thinking not just about how we prevent threats, but how we detect and respond to them once they have got inside our organisations. Understanding what’s in front of us and turning big data into usable, contextual data, is the trick to spot the anomalies which give these threats away before they manifest into a full blown data breach.
To transform companies from sitting ducks into cyber threat experts, four simple things are needed to get a single pane of glass view across operations and respond effectively to a threat:
Collect network information from systems across your environment
Collect end point data
Understand user identity: Who’s accessing the system? How often are they logging in? And from what location? To which department do they belong?
Threat intelligence: what do we know from the bigger picture across the industry that we can identify or apply to a threat?
Responding to an attack is often overlooked as ‘the inevitable breach’ is a relatively new concept and requires wider coordination. But as businesses are trying to break down silos to be more open and inclusive to allow digital business growth at speed, the same needs to happen in security. We’re starting to see businesses dedicate resource to computer emergency response teams (CERTs), with colleagues and peers coming together when incidents occur. When it comes to security, the more data, opinions and expertise, the better.
Security Avengers, Assemble
Data driven security is a simple concept for businesses to grasp, but implementation is trickier. Peers need to work smarter across departments by making data accessible, usable and valuable in order to better understand the security landscape.
A modern cyber security team needs experts from different divisions. They start with the same information, but their different perspectives, when combined, paint a more detailed picture of threats. Understanding the way that a threat structures code, sits in the network and targets data are all vital in getting to grips with how it works. To get the best information, you need security, network and infrastructure analysts all working together.
But it’s not just internal collaboration that’s needed to tackle security threats. Talk with other companies on how they set up threat intelligence and what makes it work. When a threat is uncovered, information about it should be shared as widely as possible with industry peers. We’re all in the same boat and a collective ecosystem approach is far stronger than a number of isolated islands all working independently.
Investigate alerts as they happen
The speed of response when a business is hit by an attack is crucial to the ability to fend it off. First, organisations need to spot the most dangerous attacks. That means knowing what’s in front of you and what automated action can be taken. Of the millions of alerts you get, which ones need human attention, versus human interaction?
When you have a high level threat, get the emergency response team together and figure out the nature of the threat and the best course of action. Once you have diagnosed this information, you can learn from it and train your prevention solutions or even employees to spot and deal with this threat more effectively in the future.
Attacks are – or at least should be – a concern for every CEO out there. It’s they who will face calls to step down if breached and, as we’ve seen recently customers are on the verge of legal claims for compromised information. Computer Emergency Response may seem like a no-brainer, as attitudes to cyber-security shift from an isolated IT concern to a pan-industry problem. The collective intelligence of companies and experts across industries, sharing real time insights will help to stem the tide of persistent attacks.