This is part two of a three-part series about improving the black box approach to cybersecurity. Read part one here.
The Limitations of Rules-Based Cybersecurity
Imagine a large financial services company that uses a mix of rules-based Cybersecurity platforms, Y and Z. Each of these has value, but even taken all together, they are unable to deliver a clear, complete picture. Limitations include:
● Manual data correlation
● Manual extraction and normalization from multiple sources
● Partial, disparate data insights
● Inability to decipher real-time network behavior
Organizations generally choose between one of two models:
- Extracting, transforming, and manipulating data in its own proprietary silo and then providing human intelligence with comparative analysis and anomaly detection.
- A data-agnostic approach that uses AI and threat investigation intelligence in advance of aggregation and normalization.
Both approaches have merit, but again, neither deliver a whole picture view of organizational data.
One central and often overlooked factor is that CloudTrail information doesn’t provide access or visibility into things like user behavior or precise application access behavior. CloudTrail information is limited to entity information — for example, access denied instances and geographic markers. Trying to look beyond the IP address is an endeavor with a very limited scope.
Holistic insight into how high-level information is tied to specific accounts users is central to launching an effective security strategy. Unfortunately, all too often, SOC analysts find themselves applying human intelligence and comparing spreadsheet data to arrive at potential correlative values that may or may not be helpful or even accurate.
At the heart of the issue is the fact that creating silo-based cloud data is not a reasonable long-term solution. It’s simply another arm of legacy solutions involving siloes for sources like network traffic data and log data. The thought is that somewhere along the line, a tool will marry siloed data together and make sense of it — for a hefty price, on top of the price customers pay to store data in expensive, duplicative formats.
Scale and Scope Limitations Inherent to Traditional Cybersecurity Solutions
Traditional Cybersecurity notoriously has issues dealing with economies of scale, a significant problem when it comes to the ever-cascading flow of generated data flowing to and from cloud environments. Hybrid solutions are architecturally and technically complex, and yesterday’s security solutions weren’t designed in the emancipation of the veritable fire hoses of data and busy data pipelines modern organizations have on tap.
Customers are forced to consider business problems based on the data available to them. The reality is that data stored in multiple data formats — cloud, log, or network data — is inherently challenging to analyze. Customers want to solve problems like identifying and understanding anomalies or account access behaviors by correlating anomalous behaviors of specific accounts with other parameters like geography or ingress and egress points, but few rules-based Cybersecurity tools have the ability to do that without a great deal of manual data massaging and manipulating.
Customers have been forced to extract, transform and normalize data from multiple data sources and add to it or manually correlate it in order to pull out relevant information about anomalous behavior. This set of circumstances is a common and significant industry-wide problem.
A data-agnostic platform like MixMode can take the most advantage of relevant data that doesn’t exist within disparate data streams, without regard to the significant difference in data volumes, perform automated correlative analysis, real-time threat and anomaly detection. MixMode frees organizations from multi-platform tech that is doing little to help them derive value and meaning from their expensive data stores.
Disparate Data Type Problems
Data type matters and siloed data is frequently of little value on its own. For example, flow log and CloudTrail data alone do not provide a full picture view of threat and anomaly intelligence. As a result, organizations routinely arrive at the wrong conclusions about the implications of siloed data and related behaviors.
Taking a holistic view is a far more effective, efficient approach, but traditional Cybersecurity tools like SIEM lack the capability to deliver that view. Ultimately, SIEM — even AI-enhanced SIEM — falls short in the modern era of computing because it’s based on fundamentally limiting mechanics. For AI to make the move from the researcher’s chalkboard to having a demonstrable impact in everyday life, the need to be able to explain ‘why’ it is making the decisions that it does becomes increasingly critical.
Unless operators are prescient enough to know exactly what questions they want to prioritize to each subset of data, their understanding of that data falls far short of an interconnected, collaborative big picture view. MixMode uses third-wave AI and extreme processing power to automatically identify and surface threats and anomalies regardless of data type, structure, or the questions clients are trying to answer from the start. The platform can even identify anomalous behavior in real-time, including zero-day attacks.
Next week is the finale of our three part series on how to improve the black box approach to cybersecurity. We will discuss the role of AI in cloud security and ways to make an informed cloud security decision for your SOC.