UPDATED 08:00 EDT / APRIL 10 2015

Frustrated security pros try a new approach: Let the bad guys in

criminal-213740_640With recent, high-profile security breaches at companies like Sony Pictures Entertainment, Inc. and Target still fresh in our memories, most enterprises are all too aware of just how costly such incidents can be. The hidden costs of such incidents can add up for years, and can easily stretch into the millions of dollars, and perhaps even billions in the case of Sony. More important, though, is that such incidents serve as a reminder that traditional security methods will never be enough to stay one step ahead of the most determined and sophisticated attackers.

“We’re losing control over our IT infrastructure,” said computer security and privacy expert Bruce Schneier in a dour article in Computerworld about the state of enterprise IT security. Experts quoted in the article said many companies still fail to invest security because they don’t understand the returns. Meanwhile, mobile devices and file-sharing services  continuously open new security holes in corporate firewalls.

Some startups are advocating a new approach to security, however: let the bad guys in, identify them, and isolate them. Thanks to advances in Big Data analytics, companies like Darktrace, Ltd, Protectwise, Inc., NowSecure, Inc. and Bit9, Inc. claim to have developed tools that can detect a plethora of anomalies and “events” that indicate an attack is underway, almost as soon as it begins.

Venture capitalists seem to be sold on the idea. Just last month, Protectwise exited stealth, funded to the tune of $17 million from Crosslink Capital, Trinity Ventures, Paladin Capital Group and Arsenal Venture Partners, barely a week after Darktrace announced an $18 million funding round from investors that include Invoke Capital, Talis Capital and Hoxton Ventures.

A new breed of security


Many enterprises already have sophisticated monitoring systems in place on their networks. But that doesn’t help them much with the problem of interpreting all of that data to identify sophisticated threats and eliminate them before a serious data loss occurs, and that’s where the new breed of security analytics come into play.

“Analytics allows us to see attacks in a very different way,” explained Andrew Hoog, founder and CEO of NowSecure, Inc.. The idea is not to stop the attackers in their tracks, but rather catch them in the act almost as soon as they get started. “Traditional security tools focus on detecting the ‘known bad,” like malicious apps that have known signatures, which can easily evade detection,” Hoog said. “Instead, what we’re doing is using analytics to detect anomalous events.”

Security analytics falls into that space between the tons of information collected by companies’ security information and event management systems (SIEMs) and the mantra that “big data solves everything,” said John Pescatore, the director of emerging security trends at the SANS Institute, in a recent interview with Network World.

Pescatore explained there are three aspects to security analytics, namely: monitoring network traffic for anomalies that might indicate a security breach; providing specific recommendations of what to do when a vulnerability has been discovered or an attack has started; and taking corrective action from “lessons learned”.

“Tying those three things together — the security expertise, the ability to push settings out to the security controls, and the ability to learn from it and not get into the same problem — is what I call security analytics,” Pescatore said.

Rapid threat detection


2896728836_1911a02883Vendors agree the main advantage of taking an analytical approach to security is being able to detect breaches much faster than before. A 2013 study by Trustwave Holdings, Inc. found that 60% of breaches took between three to six months to discover – which gives attackers all the time in the world to help themselves to their target’s most critical data.

“If we reduce that time by even half using data analytics, we could save billions of dollars in damages from attacks each year,” said NowSecure’s Hoog. “Once an attack has successfully occurred some damage has been done. But many attacks take time and multiple steps to reach their full potential.”

According to Ben Johnson, chief security strategist at Bit9, one of the main reasons that malicious actors, at least the sophisticated ones, are able to remain undetected for so long, is that they often employ legitimate applications and servers to carry out their attacks. They effectively become ‘insiders’ by entering their target’s environment wth legitimate credentials, therefore skirting traditional security systems.

“They use PowerShell and other built-in tools that allow them to send data out to Dropbox and Google Drive,” Johnson explained. “None of those would typically be on a blacklist because they’re all legitimate tools. It is only through analytics where uncommon uses of these tools and sites would surface for an analyst. When you start comparing activity to what is normal, these types of “living off the land” use-cases can become readily apparent.”

Security analytics works on the premise that every network is unique, and each has its own quirks based on how it’s designed. The software ‘listens’ to everything that passes through the network, and makes sense of all the traffic before flagging anything suspicious. Over time, it becomes easies to spot anomalous behavior and identify when an attacker has infiltrated a network, said Jasper Graham, senior vice president of cyber technologies and analytics at Darktrace.

“The design of the network can become a strength because it’s really hard to fake being a person or device in that network if you have that network modeled,” Graham said. “If you come in as an outsider, you stick out like a sore thumb. We’re putting companies in an extraordinary position to be proactive and understand what is happening within their network, even the slightest anomaly.”

Where there’s a will, there’s always a way


The approach is certainly promising, but there’s no guarantee that more sophisticated attackers won’t be able to find a way to slip past this new line of defense. After all, computer security is a never-ending game of cat-and-mouse, with cybercriminals constantly coming up with new ways to beat the latest security systems, and forcing vendors to come up with ever more sopshisticated solutions in response. No matter how robust these analytical approaches to security might seem, few people believe they are a panacea.

Adding to this reality is the problem that what with security analytics being so new, there’s no way to gauge just how effective the technology really is.

“An analytics or algorithmic approach assumes that the attacks are anomalous enough to stand out, and that normal traffic is consistent enough, but that may not be true,” said Pete Lindstrom, Research Director at International Data Corp (IDC). “It isn’t hard to conjure up a scenario where noise is introduced earlier into the process to make anomalies look normal.”

Vendors don’t claim their systems are one hundred percent foolproof, but that’s not really the idea anyway. No single security solution can ever be totally resistant to attacks, but analytics can make an attacker’s job more difficult.

“It is very hard to sidestep analytics,” insisted Bit9’s Johnson, though he did concede that it isn’t impossible to do so if attackers take enough time and care to cover their tracks.

“If everything attackers do on a system is recorded and compared against all the normal activity, it is pretty hard not to stand out. But if an attacker hits a system that typically mounts certain shares and copies certain data and sends it out to some site, they might be able to hide a little bit within the normal baseline.”

Image credits: PublicDomainPictures via Pixabay.com; gcbb via Compfight cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy