By Mark Bloom of Sumo Logic
John Chambers, ex-CEO of Cisco, once said there are two types of companies: those that have been hacked and those that don’t yet know they have been hacked. Consider for a moment, the following statistics:
- There were 783 major breaches in 2014.
- This represents a 30 percent increase from 2013.
- Median number of days before detection: 205.
- Percentage of victims notified by external entities: 69 percent.
(Photo courtesy of Ray Barlow)
Companies are finally coming to the conclusion that security vendors and their solutions are failing them. Despite the unbelievable growth in overall security spending, organizations are not any safer. And security attestations like PCI and HIPAA, while helping with compliance, are not equated with a stronger security posture.
Don’t believe it? Netflix recently indicated that the company was dumping its anti-virus solution. And because Netflix is a well-known innovator in the tech space, and the first major web firm to openly dump its anti-virus software, others are likely to follow.
Even the federal government is jumping into this security cesspool. In a recent U.S. appellate court decision, the Federal Trade Commission (FTC) was granted authority to regulate corporate cybersecurity. This was done because the market has failed and it was necessary for the government to intervene through public policy (i.e. regulation or legislation).
Research has indicated that security solutions are rarely successful in detecting newer, more advanced forms of malware, and scans of corporate environments reveal that most enterprises are already infected. A change in overall security strategy is needed as companies realize that adding more layers to their security infrastructure is not necessarily increasing their security posture. Instead of just bolting on more and more layers, companies are looking for better ways to tackle the problem.
While security has gotten better over the years, so too have the bad actors, whether they are cybercriminals, hacktivists or nation states. Malware-as-a-service has made this too easy and pervasive. The bad guys are going to find ways to penetrate any barrier put up, regardless of whether a company is running physical, virtual or cloud (PVC) infrastructures. So is all hope lost? Or is there a path to enlightenment by looking at this problem through a different lens?
The Insider Threat
According to recent industry research, cybercriminals continue to focus their efforts on what is widely considered to be the weakest link in the security chain: the user. Today’s cyber attacks are no longer targeting the infrastructure and so security needs to focus on the real risk, which is with the user. Understanding user behavior therefore becomes the key to defense.
And the ROI of this approach is huge, because the report – which analyzed user behavior across 10 million users, 1 billion files and 91,000 cloud applications – found that 75 percent of the security risk could be attributed to just 1 percent of the users. And almost 60 percent of the apps installed are directed by highly privileged users. Given these facts, and that cybercriminals always leverage these highly coveted, privileged user accounts during a data breach, understanding user behavior is critical to improving one’s security posture.
As more and more organizations deploy modern-day productivity tools like Microsoft 365, Google Apps and Salesforce.com, not understanding what users are doing injects unnecessary and often unacceptable risk to the business.
What Can Business Do?
Leveraging activity-monitoring APIs across these applications, companies can monitor a number of activities that help in reducing overall risk. These include:
- Visibility into user actions and behaviors
- Understanding who is logging into the service and from where
- Investigating changes made by administrators
- Failed/valid login attempts
- Identifying anomalous activity that might suggest compromised credentials or malicious insider activity
- Tokens: information about 3rd party websites and applications that have been granted access to your systems
This emerging field of User Activity Monitoring (UAM) – applied to cloud productivity and collaboration applications like Microsoft 365, Google Apps and Salesforce.com – can help to eliminate guesswork and assess the risk, in near-real time, of user activity. UAM (sometimes used interchangeably with user behavior analytics – UBA) employs modeling to establish what normal behavior looks like and identify anomalies, patterns and deviations that might require additional scrutiny.
This in turn helps today’s security and compliance teams to quickly identify areas of user risk – their Achilles’ Heel – before it brings them down. And if Chambers was right about two types of companies, those who have been hacked and those who don’t yet know they have been hacked, it is critical to put your best security foot forward.
The views, opinions and positions expressed within this guest post are those of the authors alone and do not represent those of CBS Small Business Pulse or the CBS Corporation. The accuracy, completeness and validity of any statements made within this article are verified solely by the authors.