We are constantly reading about cyber attacks in the news headlines, and businesses that require secure networks are scrambling to find ways to protect themselves. Who wants to be the next victim of a highly public and damaging hack? But perhaps they aren’t directing their energies in the best ways.
In the past, organisations were primarily concerned with detecting and preventing breaches. These are only two of the three components of a strong security solution; incident response is also critical. Only larger enterprises spent significant sums of money on network security, primarily due to cost and the fact that these companies were the ones most likely to be targeted. But the cyber security landscape has changed dramatically in the last several years, and we are now at a point where small businesses are taking online security much more seriously and turning their attention to new security tools that go beyond detection and prevention.
The rise of security analytics
Now we’re seeing the rise of security analytics. Earlier this year SC Magazine released the results of a survey that captured responses from almost 1,000 IT and security professionals. The results were quite heartening. Almost two out of three people responded that their companies were in the process of implementing some kind of security analytics programme. Security analytics (also called ‘post-breach forensics’ or other similar terms) is a new and somewhat poorly-defined term for storing, interacting, monitoring and visualising log files, network flows and IP packets in real time, for later analysis, as well as managing Big Data security feeds or large data streams. Some 72 per cent of the survey’s respondents were from small and medium-sized businesses (SMEs) with fewer than 1,000 employees. The conclusion was that SMEs are realising the importance of security analytics, and although few have got to the point of actually implementing these systems, many have started planning their own programmes.
It’s encouraging to see more organisations taking security seriously, but SMEs are in for a great deal of work in order to set up an effective security programme. In general, the major roadblocks to security analytics programmes (or any security programme in general) are the initial cost of the software and/or hardware for capturing the data combined with a lack of expertise and trained staff. These apply to enterprises of any size, but cause more problems for SMEs for several reasons.
Difficulty in using the tools effectively
One, the shortage of trained staff makes it especially difficult for SMEs to use security analytics tools effectively. Modern security analytics tools are designed with the assumption that they will be used by trained and experienced investigators. It’s unlikely that an SME will have a dedicated security expert on staff, so they will not be able to use these tools to their full capabilities, if at all. Buying the right monitoring software won’t do any good if no one on staff can understand and interpret the data. For this reason, investing in expensive security analytics tools is often not the best use of funds, especially for an organisation with a limited budget.
Additionally, cyber attacks targeting SMEs have increased because the ability to automate attacks makes it lucrative for malicious actors to target them. Historically this hasn’t been the case. SMEs tend to have few monetisable assets and a small web presence, so attacking them was not worth the time and effort. In the last few years, the dark web has made it easier and cheaper to sell stolen data, advanced automated attack suites developed by experienced hackers are being packaged and rented to relatively inexperienced attackers, and hackers have developed automated, low-cost attacks like ransomware where they get paid directly with no dark net market required. All of these factors have changed the economy of cyber attacks and made SMEs more attractive targets.
Since they have not been targeted until recently, many SMEs have only very limited practical experience – and often a false sense of security – with real assaults. A recent study published by Enterprise Management Associates finds something similar that they termed the ‘bravado factor’. In general, surveyed companies reported that they were extremely confident in their security systems, but the number of alerts these systems were generating led analysts to conclude that either their IDS/IPS devices weren’t properly configured or that the IT team must simply be ignoring most of the data. So while enterprises usually feel that they are protected, in reality they often aren’t. The lack of trained staff exacerbates this problem for SMEs. As a result of all of these factors, attackers will naturally gravitate toward attacking SMEs as low-hanging fruit.
What can SMEs do if they experience a data breach?
Most of the time it’s in their best interest to call a professional. Independent security contractors deal with cyber assaults every day and have extensive training and experience with these situations. In most instances, contracting one of these teams is the most cost-effective approach to intrusion response.
The real question becomes, ‘What can an SME do to prepare for an incident?’ The answer is two things: retain a history of the enterprise’s relevant computer activities; network traffic, host logs, security device alert, etc, and install and monitor as many security intrusion detecting systems as economically supportable. Capturing all of a system’s network traffic is not realistic since the cost of storing all that data for a decent period of time would be enormous. The strategy is to have the local team be the ‘tripwire’ that detects an assault and then calls in experts to track down and remediate the attack when needed. In doing so, it’s important that they be as honest as possible about their own level of preparedness, train and prepare their IT staff as much as possible, and acknowledge that they might need help if an emergency happens.
For this strategy to be successful the SME needs to have the capacity to store network information (packets) and host logs for extended periods, often a year or more. Even SMEs with substantial investments in malware detection will miss some attacks, which might not be discovered for months. Research by Trustwave reported by Computerworld UK claimed a median time of 87 days from breach to discovery, with some outliers that were much longer. Without a record of the initial attack, resolution will be difficult even for a team of expert investigators.
So while SMEs face a unique set of challenges when it comes to security analytics, it’s still possible for them to benefit from these programmes as long as they are pragmatic about how they are implemented. Around 58 per cent of respondents to the SC Magazine survey said that their company’s upper management had an adequate or better understanding of data security, and only 12 per cent were ‘uneducated about security and unaware of the need to improve’. There is clearly growing consensus at high levels that data security needs to be taken seriously and I’m optimistic that businesses of all sizes can use security analytics to help keep themselves and their customers’ data safe.
Tom Rowley is security strategist at Savvius.