Last year, an uncovered Snowden document from the US National Intelligence Council warned that the slow deployment of encryption and other technologies is putting government and private computers at risk of cyber attacks. The annual cost of cybercrime to the global economy is estimated at over $400 billion. Encryption is viewed by many experts as the go-to security technology, but data breaches and other attacks continue to rise despite advances in encryption.
Arguing against encryption would be a bit like arguing against locks on doors. Strong encryption is a basic defense against the damage that might flow from a successful attack on information infrastructure. Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements. But encryption alone is not enough, and may induce a false sense of security among those who depend on it.
Sticking with the locks-on-doors analogy, rational people may also install an alarm system on their doors and windows. At my house, I have deadbolt locks on my doors. I also have an alarm system that warns me if a door or window is opened -- regardless of the time. The locks on my doors and windows serve to protect me from intrusion but I know these systems fail for a variety of reasons. Perhaps I’ve forgotten to lock a window. Perhaps one of my kids decides to sneak out for a rendezvous with friends. Or perhaps someone has actually broken a lock in an attempt to enter. My alarm system alerts me and provides me an opportunity to respond.
[COUNTERPOINT: As Good As They're Getting, Analytics Don't Inherently Protect Data, by Scott Petry, Co-Founder and CEO, Authentic8]
A similar analogy can be drawn from home security to national security. Regardless of your political leanings, the features of a strong defense are well understood – secure borders, big guns, and various “walls and moats” strategies. But governments have deployed layered defenses for millennia, which include both physical defenses and intelligence assets that warn them of threats. Spies, intelligence services, and counter-intelligence are all indispensable, integrated components of national security. Their mission is to detect and counteract threats that aren’t necessarily subject to the controls of strong basic defenses.
Encryption, while not a physical defense, is much like other basic defense mechanisms that serve to block access to items of value. Like other basic defenses, encryption is not foolproof. It can be evaded and undermined, and it can be prone to errors in deployment; encryption keys can be lost, stolen, or inadvertently exposed. Perhaps even more likely is a situation where we believe we’ve encrypted everything, when in fact we’ve encrypted almost everything. Most encrypted data is unencrypted at some point in its usage lifecycle. The bad guys are pretty good at finding the one window left open.
Analytics are to encryption what intelligence services are to military defenses. The increasing number, variety, speed, and severity of cyber attacks necessitate a dynamic cyber intelligence posture. In the past, cybersecurity analytics were focused on gathering data about compromises, developing threat “signatures,” and using those signatures to protect against future threats, all comprising another form of defense that served to block an attacker.
Identifying threats in real time
Advanced detection analytics, by contrast, identify emerging threats by recognizing anomalous patterns in real time. Many of these techniques have commercial and technical roots in high-volume network assurance applications (e.g., telecommunications) as well as financial fraud detection (e.g., banks and insurance). While many firms label their signature-based detection methods as “analytics," the analytics are largely static and built to block known threats and therefore fall into the category of basic defenses.
What differentiates the emerging field of detection analytics from these basic defenses (including physical security, firewalls, encryption, and signature-based detection methods) is that advanced detection analytics are focused on finding anything unusual or threatening that gets by your basic defenses. And since we brought Snowden into this already, let’s include those threats that emerge from the inside.
Big data stores and emerging forensic tools can be a critical aid in unwinding complex attacks and data exfiltration schemes. But at the forefront of cyber threat detection analytics are real-time streaming analytics applied to data flow within the network, and the profiling of entities (e.g., sensors, devices, servers, routers, and human actors) engaged in network communications. With the help of machine learning, organizations can harvest actionable behavioral analytic insights from huge streams of data traffic in two ways:
- Self-calibrating models constantly recalibrate traffic behavior of monitored entities, and score anomalies for the extent of their deviation from the norm.
- Self-learning analytics improve with each resolved alert, serving to systematically automate the insights of human security analysts as they work cases.
Building an ever-clearer picture of the typical behavior of individual entities, these two approaches enable streaming analytics to better identify threats. They also help minimize false positives – a huge problem as many large organizations are currently sorting through hundreds of thousands of alerts each day. And most importantly, these technologies work in real time – providing, for the first time, the ability to sense and respond to the most egregious threats as they happen, and before damage is done.
It’s worth noting that these analytic approaches are tried and tested. Many of the underlying technologies, including the AI/machine learning analytics, have been protecting most of the world’s credit cards for years. The fraud teams at card issuers use these systems not only to detect fraud, but to set the level of risk that triggers investigation or card blocking, in order to balance loss prevention with a positive customer experience. Moreover, these fraud systems do not require issuers to hire armies of analytic techies. By crunching data to prioritize the biggest threats, they simplify the lives of fraud professionals, and the same would hold true in information security.
While encryption and other basic defense approaches will always have their place in security strategies, encryption alone does not prevent hackers from stealing data. Adding advanced analytic techniques to cybersecurity portfolios complements and can close the gaps left by encryption (and signature-based security) by detecting emerging and evolving attack patterns in real time. As a best practice, companies must advance beyond basic defenses, and enhance their security posture with the analytic equivalent of an effective intelligence service. It’s time to bolster our walls and moats with spies and intelligence.