(Editor’s Note: this article originally appeared as a contributed piece on infosecurity-magazine.com)
As cyber security gets hotter (or maybe more and more depressing, depending on how you look at it), new buzzwords come to dominate our discussions.
We’re all sick of ‘APT’ and ‘threat intelligence’ (at least I know I am). We’ve also begun to tire of hearing words such as ‘breach,’ and even ‘cyber’ itself.
However, buzzwords have a place. They are a good barometer of the focus of both the security industry and the general population.
I predict that ‘orchestration’ and ‘analytics’ will be the industry’s next top buzzwords. Let me explain why.
‘Analytics’ isn’t necessarily a new buzzword, but it’s a bit behind ‘threat intelligence’. Everyone was saying ‘threat intelligence’ in 2014 (and some of 2013), but it only recently started to become more concrete and standardized in its definition.
‘Analytics’ is lagging behind. But we need analytics as attacks become increasingly complex and diverse. Once intruders obtain access, they often start using built-in tools or tactics to blend in with the noise of regular environment activity. Detection is becoming increasingly difficult, so we turn to analytics.
Think of credit card fraud. Financial companies don’t know exactly how a stolen credit card will be used. It could be to buy iTunes credits online, electronics in a store in Hong Kong, or any of a million other things.
To detect credit card fraud companies look at known good and bad transactions and try to profile expected normal behavior. When activity begins to fall outside that fuzzy box, you’re notified.
Analytics is the comparison of current user, system or network activity against historical activity and current behavior by other parts of the environment – and it is going to become hot over the next year. We will still be authorizing applications and detecting known bad binaries, network sites, and behavior, but analytics will continue to rise as the use of stolen credentials and insider threats becomes increasingly prevalent.
I’ve been at Fortune 50 companies where the only quick way to detect where Chinese hackers were ‘living off the land’ (inside the environment, lurking, watching and learning) was to look for things such as strange network-share usage; abnormal command-lines for cmd.exe, ftp.exe, and robocopy.exe; and other unusual behavior. Analytics could quickly identify what otherwise would take weeks.
This brings us to ‘orchestration’—the overall quarterbacking of your environment when analyzing a detection event, responding to an incident, or performing risk hunting. When doing this, we need speed. We need faster OODA loops (an aerial dogfighting term for feedback loops). And we have complex environments and various tools and teams that have to synchronize.
Orchestration focuses on people, processes and teams. We need to be organized in this world of continuous response where we are putting out multiple fires. We need to be able to quickly add context about what should be occurring and what particular systems are used for. We need to know more rather than think more during our security investigations. And we cannot afford sloppy processes or missing information.
We also need faster feedback loops. The bad guys move quickly, especially when there are malicious humans at work. But even with malware, it’s often tough to keep up with the dangerous activities being performed. With today’s technology, we need orchestration of our defensive technologies. We need to quickly stop the bleeding. We need to be able to retrieve reputation, classification and attribution information without much (or hopefully any) effort.
We need to be able to disrupt and contain live attacks, and we need to be able to quickly disregard alerts that turn out to be false positives or not urgent. After all, valid alerts are just noise if we cannot appropriately respond to them.
We need orchestration, and more specifically, orchestration through APIs, security engineering, and automation. We need our network, endpoint, data and communications defenses to inform each other, to change analysis weightings based on each other’s current state, and we need to give a human operator quick access to all the data.
We need introspection and retrospection to be quick and painless so we are informed. Remember analytics? We need our systems to work together to tell us if this behavior is normal, how prevalent it is, and what other groups think about it (remember threat intelligence?). As an industry, we’re moving in that direction, but we’re not there yet. I hope we make big strides very soon.
The biggest problem in cyber security is the shortage of people. I believe analytics and orchestration can help to significantly reduce this gap. We have the computing power; let’s put it to good use. Let’s build, create and innovate in the areas of analytics and orchestration.