Assuming you have the budget, you might decide to go on a spending spree and invest in the best cyber security technology that money can buy. But is this really the best solution?
Whilst it is true that many organizations are not investing enough money into cyber-security, having a collection of technologies that function independently from each other without any means by which to aggregate, filter and contextualize the results, may actually do more harm than good. For example, many organizations already make use of firewalls, data loss prevention (DLP), vulnerability scanners, network intrusion detection (NIDS), and more. Yet each of these technologies generates a large amount of noise, much of which is not meaningful to our security staff. And although SIEM solutions can help to aggregate data from multiple sources, security experts are still required to manually sift through the vast amounts of seemingly unrelated data in search of correlations that may indicate a threat. This is obviously not the most efficient approach to securing one’s data as we will end up wasting time following up trivial events, while the real threats slip through the net.
In order to allocate our resources effectively, we must first get an idea about where the majority of security threats are coming from. According to the 2016 Cyber Security Intelligence Index, “60% of all attacks are carried out by insiders”. With this in mind, it would make sense to invest in a sophisticated collection of tools and solutions that enable us to detect, alert and respond to suspicious user behavior.
These days there are a large number of affordable User Behavior Analytics (UBA) solutions on the market that outperform traditional SIEM solutions in many ways. LepideAuditor, for example provides security analysts with a platform by which to monitor/audit changes made across their IT environment. It enables analysts to easily maintain “least privilege” account access, detect suspicious file and folder activity, manage inactive user accounts, track privileged mailbox access, and a lot more.
Not only that, but solutions like this enable us to automatically respond to events based on a threshold condition, which can help stop the spread of ransomware and detect suspicious logon failure.
Of course, before we can successfully audit our sensitive data, we first need to know where our data resides. Additionally, we need to classify our data so that we can apply security controls in the most efficient manner possible. For example, there’s no need to receive real-time alerts about data that is classified as “public”, as that would be a waste of valuable resources. There are many affordable data discovery and classifications tools that can help us automatically locate, classify and report on a wide variety of data types.
Regardless of the budget, technology alone can only do so much to protect our sensitive data. Artificial intelligence and machine learning systems will no doubt evolve to become an invaluable part of our defence strategy, but they still have a long way to go until they can be relied on to catch every eventuality.
As such, human judgement is still very much required. Since the majority of security threats originate from within the confines of our network perimeters, we need to establish a comprehensive security awareness training program to ensure that our staff members are able to conform to security best practices. Of course, this too will cost money, although new applications are being developed that can significantly reduce the cost of security training.