By Augusto Barros
It’s no secret that the threat landscape is rapidly changing. Securonix Autonomous Threat Sweeper (ATS), for example, observed 1,588 global cyber threats over the past year. With new threats on the horizon daily, industries around the world are scrambling to protect their businesses. The good news is that the cybersecurity industry has been steadily evolving to meet those threats.
With increased threats comes a greater need for advanced security measures. Companies can no longer rely on the achievements of the past, which drives continuous industry innovation. This evolution fuels three key trends emerging within the cybersecurity industry to meet the needs of organisations in the growing threat landscape.
Detecting Activity Through Collaboration
Collaboration might seem like an obvious thing, however, the growth in collaboration throughout the cybersecurity industry has been explosive in both public and private sectors. What was once taboo, is now a growing requirement, with renewed interest in collaboration that cuts across industries and geographies. This development puts a greater emphasis and value on sharing not only threat intelligence but also threat detection content and knowledge to support proactive defense. Public-private partnerships are critical to defending against evolving cyber threats and an ever-expanding attack surface.
The production and consumption of threat intelligence is a rapidly growing practice as part of the push toward collaboration. Organizations are now aware that they need the data, but many security systems are still designed to operate in a siloed manner. Technology is moving towards a new reality in which shared information can be used in multiple steps of threat detection and response, from real-time detection to retroactive sweeps of logs, and from inter-organization sharing to intra-group and intra-SOC collaboration.
We now see numerous examples, like when reports emerged about a threat group (named Storm-0558 by Microsoft) accessing email accounts from multiple organizations, including U.S. government agencies. This is an interesting case where we can see how collaboration among technology providers, customers and government can help organizations fight cyber threats. Although steps and artifacts used by threat actors change and evolve over time, efficiently sharing information and data about attacks allows organizations to detect similar activity in their environments.
Increase in Insider Threats
The volume of typical cyber threats often eclipses the relevance and importance of insider risk. Insider threats are different in two ways: they are not as frequent as external cyber attacks, but the potential for more impact is much greater.
Some recent cases of cyber espionage, sabotage and even the participation of insiders in major ransomware attacks remind us that security is not only about blocking attacks from the internet, but also monitoring and controlling the use of resources by authorized, internal users.
We are currently witnessing an interesting moment in insider threat defense. Research shows a significant increase in insider threats — malicious or not — over pre-pandemic levels. Effectively detecting insider threats requires advanced analytics with robust capabilities, something that is virtually impossible to accomplish with traditional signatures and rules approaches.
We now have a deeper understanding of how to detect insider threats, with programs moving away from DLP solutions based on static content signatures to smarter approaches based on advanced analytics, including promising new AI techniques and algorithms. The buzz around AI now seems easier to justify in this field, as advanced algorithms identify anomalous and potentially malicious behaviour by authorised users.
The Coming of Age in AI and Analytics
The use of advanced analytics in cybersecurity has been growing fast, with new use cases emerging every day. Machine Learning successfully detects malware, phishing, and other simple threats. But as expectations start to align with reality, many have found that we still have too many alerts and false positives. This is where the new wave of analytics will focus on, enabling detection of more than just the “bad things,” but providing more meaningful alerts.
The famous correlation promise of the old SIEM will manifest itself in a completely new way, where detection engineers will not be required to identify the connections between multiple events in advance. Now is the time to expand the use of tools like AI to help identify more subtle attacks, link different threat activity streams together and, most importantly, help further weed out false alarms while empowering security analysts and engineers during their investigations to accelerate the confirmation and response to breaches in meaningful ways.
(The author is Augusto Barros, VP Cyber Security Evangelist at Securonix, and the views expressed in this article are his own)
