Content of Figures
Detecting and managing attacks on IT systems is a serious problem. Cyber criminals are using increasingly sophisticated techniques to infiltrate organizational IT systems to commit crimes including data theft, denial of service and blackmail. However, statistics show most data breaches are detected by agents outside of the organization rather than internal security tools.
Traditional perimeter security devices like firewalls, IDS (Intrusion Detections Systems) and IPS (Intrusion Prevention Systems) are widely deployed. These tools are effective at controlling certain kinds of weaknesses for known threats, patterns and signatures. They also generate alerts when suspicious events occur; however, the volume of these events is such that it is almost impossible to investigate each as they occur. While these devices remain an essential part of the defence for the agile connected business, they are not able to detect a range of threats including the use of compromised credentials, insider threats, data exfiltration, access misuse and zero-day attacks.
SIEM (Security Information and Event Management) is often promoted as a solution to these problems. However, SIEM is just a set of tools that can be configured and used to analyse event data after the fact and to produce reports for auditing and compliance purposes. While SIEM is a core security technology it has not been successful at providing actionable security intelligence in time to avert loss or damage.
External attacks now involve a complex process, often including an element of social engineering, which exploits compromised or illicit user credentials to gain access to data. This is partly because of the strength of conventional network defences against direct frontal attack, and also because the use of apparently legitimate credentials bypasses other security controls like encryption. Furthermore, insider threats continue to be a real problem and these invariably involve the misuse of access rights. For these reasons identity and access controls have become the new perimeter.
The most effective way of detecting illegitimate access to data is through the monitoring of user identity, access and activity. Even more importantly, better access governance is essential to reduce the risks of data theft. Some traditional SIEM vendors are starting to include analysis of user activity logs in their products. However, recognizing what is abnormal versus normal remains a problem. Big Data machine learning technology provides a potential solution to this by identifying identity, access and activity patterns that are common among peer groups of users.
What is needed is the integration of user identity, access and activity analysis into cyber-defence to enhance threat prediction and detection as well as to enable remedial action to be taken before damage is done. This requires techniques taken from big data infrastructure and business intelligence machine learning to analyse the massive amount and variety of data from the many sources to raise alarms only where there is a high confidence that the threat from the anomalies detected is real.
The volume of threats to IT systems, their potential impact and the challenges in discriminating between real threats and false alarms are the reasons why a new approach is needed. The need to calibrate what is normal to reduce the signal-to-noise ratio in order to detect anomalies remains a challenge and accomplishing this using bespoke rules within some tools requires considerable skill. It is important to look for a solution that can easily build on the knowledge and experience of the IT security community, vendors, and service providers. End user organizations should always opt for solutions that include managed services and pre-configured analytics, not just bare tools.
2 Product Description
STEALTHbits Technologies is a privately held software company with its head office in Hawthorne NJ in the USA. The company is focused on protecting o ...Login Get full Access
2.1 STEALTHbits Products Overview
STEALTHbits provides several products to support credential and data security processes for a range of environments. The products include:
- Steal ...
StealthDEFEND is the real-time threat analytics component of STEALTHbits’ Data Access Governance Suite. It uses data from STEALTHbits Activity Moni ...
StealthDEFEND employs unsupervised Machine Learning technology that can detect patterns not discernible through summary statistical analysis. It is b ...
StealthDEFEND Key features include:
- Unsupervised Machine Learning – StealthDEFEND incorporates Machine Learning models to evaluate, correlate, a ...
3 Strengths and Challenges
StealthDEFEND provides a useful solution to help detect cyber-threats. Unlike other solutions that focus on network traffic or on technical vulnerabi ...Login Get full Access
4 Related Research
Advisory Note: Real Time Security Intelligence - 71033
Blog: Real-time Security Intelligence – more than just “next generation SIEM”
Leadership Compass: Privilege Management - 72330
Executive View: STEALTHbits® Products Overview - 70270
Advisory Note: Redefining Access Governance - Beyond annual recertification - 72529
Advisory Note: Understanding and Countering Ransomware - 70282
Survey: State of Organizations: Does Their IAM Meet Their Needs in the Age of Digital Transformation? - 74003
Leadership Brief: How to close the skill gap in your Cyber Defense Center - 72800