7 Steps to Automating Cyber Threat

Detection and Analysis

June 14, 2016
Gary Southwell
KEYWORDS automated threat detection / cyber risk mitigation /cybersecurity analysis / data
breach

https://www.securitymagazine.com/articles/87193-steps-to-automating-cyber-threat-
detection-and-analysis

Why are so many breaches continuing to occur without let up after several years of
headlines? Are the attackers that smart, or are businesses not putting the proper focus on the
problem?

Perhaps the best way to answer is to start with the bottom line and defining the concept of
risk:

Step 1: Determining Value

Intellectual property for certain industry verticals can be extremely valuable. For these
companies, it is fairly easy to look at market valuations and attribute a reasonable percentage
to that value. Client and patient records are also highly valuable – for healthcare providers
and insurers, HIPPA violations have fines for data loss that range up to hundreds of dollars
per record. While not all industry verticals have well-established values, most organizations
have the means to determine the value of such information. It often comes down to valuating
data loss, in real, as well as, opportunity costs.

For the Fortune 5000, the argument can be made by reviewing recent – data – severe
breaches can tally in costs to millions of dollars.

Step 2: Probability of a Breach

The next portion of the equation is the probability of breach. This is where perception and
reality seem to diverge. While most businesses know there is a probability of breach, many
believe that if they are not a Fortune 500 firm, the probability is lower that they will be the
target of attack. This ignores several facts. First, is that most breaches are more often driven
by opportunity than focus. Phishing attacks are good examples – they cast out emails by the
millions looking for responses, regardless of organization size.

The Verizon Data Breach Industry Report shows there are thousands of confirmed breaches
every year. The 2016 report indicates 3,141 confirmed worldwide breaches. The numbers are
likely much higher as many breaches do not get reported or go undetected.

Cyber Risk Equation – Putting It All Together

Cost of Data Loss x Probability of Such Loss/Year = Yearly Cyber Risk

Example: Small healthcare provider

$500/patient record x 2000 records x 40% probability of breach = $400,000 yearly risk

As this example shows, the risk is high even for mid-sized enterprises and reaches to the
millions/year for the smallest of the Fortune 5000.

Mitigating Risk of Data Loss from a Breach

We have security staff and tools already in place so aren’t we protected?

Enterprise Strategy Group recently completed research that surveyed 125 IT/cybersecurity
professionals with responsibility for incident response at their organizations, and made an
unsettling discovery. Even with significant investment in information security
solutions, nearly 74 percent of those surveyed reported that security events/alerts are simply
ignored because their teams can’t keep up with the suffocating volume.

These are organizations with SOC staff and sophisticated security equipment.

The point is, no matter how well equipped, today’s organizations are lacking the security
talent and resources necessary to fight relentless, increasingly sophisticated attacks.

While many cybersecurity technology tools exist today to help the enterprise detect threats,
the challenge is that they are:

 Siloed;
 Perimeter-focused;
 Require complex, detailed-training and sophisticated staff to leverage them
effectively; and
 Even with explicit training, systems generate prolific alerts, which limited staff cannot
physically analyze in a timely enough manner to stop or prevent the threats from
inflicting damage.

This cybersecurity model is no longer sustainable. A holistic automated approach is required.

Ideally allowing security analysts to be taken out of the detection role, and back to
proactively improving the security posture of the organization.

Automating Threat Detection and analysis – The 7-step Program

Step 1: Monitor everything

The best way to protect everything is to monitor everything. Unfortunately, today’s answer
is the complex, siloed approach outlined above, which makes this a human-intensive effort.

Step 2: Build a system that can automatically detect every form of attack – DDoS, brute-
force, compromised credentials, malware, insider threats and APTs. You need to detect it all
under one application if it’s going to be effective.

Step 3: Improve the means of detecting attacks and avoiding false positives. This
requires a combination of intelligent data collection and analysis, threat modeling, machine
learning and advanced correlation techniques.
Step 4: Detect the threats in real-time – within minutes as they develop. This is critical –
the faster an attack is detected, the exponential decrease in data loss.

Step 5: Simplify what’s reported. One clear concise alert that gets updated is better than
hundreds of messages regarding the same underlying issue.

Step 6: Send notification of critical alerts automatically via email and texts. Stop the need
to continuously watch screens. Screen watching is costly and difficult to do well
continuously.

Step 7: Contain the threat – automatically from within the same application. Taking action
to stop the threat is the most critical step using an automated approach to detect and contain
the threat.

By following these steps, threat risk can be dramatically reduced. Of course, the right system
is needed to make this practical. The good news is that a new era of cybersecurity solution
providers is now delivering such systems.