It is no news to anyone in cyber security, or information security generally, that threats are increasing, cyber security costs are escalating and managing enterprise security is becoming ever more complex. The current approach, as laid out below, is not scalable in this rapidly evolving environment.
Instead, there has to be a fundamentally new approach to how we address security. We call this User‑centric Enterprise Security: a strategy that focuses on identifying breaches in a highly user-specific fashion and ensuring the user is part of the remediation process.
The security architecture is creaking – bring in the cavalry
Today’s security architecture is beginning to fall apart at the seams. The classic model deployed by the vast majority of significant organisations includes:
- A lake of unstructured data – typically in the SIEM
- Expensive technology to manage and process that data – often AI
- Scarce human resources in the Security Operations Centre (SOC) to manage that platform and tune it to find the real issues
At the most fundamental level, the approach has to be correct. We gather data, we use technological means to examine that data, and thereby identify malicious behaviour that cannot be spotted by other means.
However, the current SIEM/SOC implementation suffers for a number of reasons.
It is increasingly expensive
SIEM technology is typically charged by the gigabyte, not to mention the physical infrastructure costs of data storage, and even businesses in a relatively steady state are increasing their SIEM usage by 30-50% per year.
SIEM are generalist platforms
Today’s attacks are increasingly well prepared, targeted and carried out by hackers who are able to carefully zone in on specific weaknesses.
SOC engineers are rare
The Security Operations Centre is itself a relatively new animal, fitting into the still-developing and exponentially expanding cyber security It’s hard to find well-qualified and experienced SOC engineers. When they are sourced, they are expensive and difficult to retain.
Lengthy resolution periods
It takes substantial time for a good SOC to tune and educate a good SIEM in order to identify real problems for the enterprise. Even when the system is tuned, false positives abound. The SOC must process a large number of alerts every day, each one taking significant effort and investigation, and frequently communication with other users in the business.
Lack of user awareness
Users are not engaged in cyber security and often resent the communications that do come from the SOC when trying to track down breaches.
Negative relationship between security and users
When security teams are communicating with users, it is typically to point out where they messed up. This does not lead to a positive and supportive engagement with security.
The most frustrating aspect of the entire SIEM/SOC architecture is that it gathers a huge volume of data, the vast majority of which is harmless and most of which is repeated day after day. We need to reduce this load on the SIEM/SOC.
Alongside the increasing volume of data to manage, it’s also necessary to protect more applications and tools – which will become untenable in current platforms. Many SIEM deployments protect only some components of the cyber estate. Due to the time and costs involved, deployments are gradual and fractured, often leaving gaps due to limited resources. However, attacks can come from anywhere and the entire company therefore needs to be secured.
And it’s getting harder
While the standard architecture continues to expand and suck up resources, there are large areas of technology that are not being protected.
In today’s hyper-connected, mobile‑led world, users are engaging with their business via multiple devices, from many different locations, in many different ways. They are accessing numerous applications, each containing critical information about the business: email, collaboration platforms, ERP, and CRM, to name a few.
Within each industry there are also critical applications that are industry specific, to support activities such as trading, underwriting, case management, intellectual property management, and many more.
This means that there is a critical vulnerability at the nexus where users meet applications.
Compromised credentials
There are numerous ways in which hackers can access a user’s credentials and enter their accounts silently. Even with two factor authentication, VPNs and other technologies, there are increasing numbers of man-in-the-middle attacks, targeted attacks, malware attacks and others which allow a competent hacker to compromise accounts – not to mention careless user behaviour.
Misuse of the admin platforms
Nearly all applications are managed by an administration platform which gives its users almost godlike privileges. Whether through malice or error, it is incredibly easy for privileged users to access any data or account and impersonate their colleagues – from CEO downwards. There have been many cases where the administration users have themselves been compromised, providing external bad actors with almost complete control of an organisation. Privileged Access Management platforms provide protection in some areas but cannot identify where an admin user is carrying out a malicious action.
OS and system weaknesses
Weaknesses in the underlying infrastructure can also result in an unauthorised access to a resource.
Email and collaboration
There are two specific vulnerabilities which are worth emphasising:
- Email is the most central application in nearly every business.
For many executives, it is the only application they use. Not only is corporate confidential information exchanged in email, but frequently embarrassing opinions are committed to writing. Over and above these issues, email is unique: once email is breached, the issue is no longer exclusively data loss, but impersonation.
- With workers sharing information around the business and around the world, companies now rely on a wide range of collaboration platforms.
But each time an employee creates a document or library and shares it, this asset is frequently shared onwards with others. Very few platforms provide tools to allow data owners to know who has access to their files and who has actually accessed them.
User-centric Enterprise Security
The good news is that both of these challenges can be solved.
The second problem – the vulnerability of critical applications – can be addressed by using the same basic principles of the current SIEM/SOC architecture: every application provides highly detailed logs that will reveal malicious behaviour. However, these are never activated, partly because their volume would completely flood any existing SIEM, possibly by an order of magnitude; and partly because almost no one has the skills to process and manage them.
The answer is User-centric Enterprise Security. Application logging must be enabled to track all access to accounts and any reconfiguration of these accounts. This information contains everything we need to understand whether an account has been compromised. However, we cannot process it as an unstructured data lake. Instead, a new three-pronged approach is required.
The processing of the logs must be application aware
Instead of assuming everything is unstructured data, the processing can be massively streamlined if we know what the logs mean, and which logs may lead to compromised data or impersonation.
The processing of logs must be user aware
For each application, we must understand the user’s normal behaviour. Every user in a business operates differently. We cannot assume that all email users behave the same way, or that all collaboration users in the business behave We must accept that everybody is unique.
We must take account of the context
This involves looking for simultaneous connections to a user’s various different accounts from different locations; and looking for connections that do not make sense based on the user’s recent or current location.
With this in mind, it is possible to build a highly efficient system to detect malicious behaviour extremely accurately.
But there is one more key step needed for true user-centric security.
The classic SIEM/SOC architecture relies on the SOC engineer to identify the issue. Then, it’s necessary for the SOC engineer to discuss the matter with the users involved, in order to identify whether this is genuinely a breach or in fact legitimate, but unusual or new behaviour. This communication is frequently delayed, often frustrating for all parties involved and has little added value.
The alternative is to communicate automatically with the user, in a user-centric, user-friendly manner.
When a user accesses an account or application in an unusual fashion, the user knows best whether they are responsible for this change in behaviour or an attacker has breached the system. When a new delegate is added to an account, documents are shared strangely, or rights are granted to other users – again, it is the user (the account owner) who knows whether these are legitimate actions.
We MUST begin to harness this knowledge. We must provide the user with comprehensible and easy-to-respond-to information, allowing them to instantly identify the real breaches.
The cavalry has arrived
With this in mind, the entire user base of the company can become part of the cyber defences. Simultaneously, the scaling, cost and speed issues of the classic architecture can be mitigated.
Advantages of this approach include:
- Reduced SIEM and SOC costs
User-centric and application-aware log management can be handled outside of the expensive SIEM, passing only information of suspected breaches into the This significantly reduces the demand for additional SIEM investment and additional SOC engineers.
- Decreased resolution times
Users will instantly identify the genuine breaches, allowing the security team to promptly focus on remediation. There is no need for the security team to parse thousands of possible issues, rejecting most as false alarms.
- Improved security-user communication
Communication is in the user’s language, providing clear explanation of the issue and how they can react.
- Users become highly engaged in cyber security
They see when they have been breached, they begin to understand where their behaviour can make them more vulnerable, and they have the ability to take responsibility for their own security.
But it’s not that easy
While the recipe above is certainly the way forward, it is by no means trivial. There are many ways in which this approach can collapse on itself. It is critical that we accurately identify the likely breaches. It is fundamental that the communication with the user is easy-to-understand and there is clarity on how to react. It is also crucial that the user is not flooded by frequent messages and important to engage them in the process step-by-step.
And, of course, we absolutely must retain the engagement with the SOC to ensure that there is a single place to understand all vulnerabilities in all security incidents, and to manage over organisation security.
All of these problems can be solved with the right technology and the right processes.
Learn more about IDECSI's technology to empower your users to secure your enterprise or contact our cyber security experts to schedule a live demo.
