Thwart security adversaries with real-time data observation

March 6, 2024
Author:Jeff Aboud
person using computer on table

Thwart security adversaries with real-time data observation

As the old adage goes, the only certainties in life are death and taxes. Yet for cybersecurity leaders, there’s another certainty to add to this list; security events. Our networks are inundated with them every day. The specific actor, vector, technique, and goal may change, but security events, as a whole, are omnipresent.

The ability to rapidly detect these security threats ― with enough actionable intelligence to immediately initiate an appropriate response ― is the greatest challenge security leaders face. The problem is, our world is becoming so inundated with data that it’s increasingly difficult to distinguish between what’s important and what’s simply “noise”. With a current volume of approximately 120 zettabytes globally and growing quickly, organizations of all sizes are getting buried with data. Of course, about a third of this data has no value, whatsoever, because it’s redundant, malformed, incomplete, etc.

Whether or not it has any value, all of that data is traversing your network creating “noise”; you need to cut through that noise, to gain insights from the data that does have value. Think of it this way; if you had an adversary in the physical world who had just broken into your house, but now he’s blended into a large crowd, walking amongst them and wearing similar clothes. To find him, you’ll need to get through the crowd, assessing each individual as you go. I’m sure you can imagine how arduous a task that would be; and while you’re doing this, the culprit is actually getting away with your valuables!

It’s very similar in the digital world. While you’re digging through your data to determine what’s going on, the adversary continues to conduct malicious activities, whether it’s exfiltration of critical data, lateral movement and privilege escalation, denial of service, or countless other attacks. So, it’s absolutely essential to cut through the noise and determine what’s going on as quickly as possible, so that you can thwart the adversary’s activities ― preferably before he even gets started.

So, how do you do this? How do you cut through all of that noise to find what’s really important? Since there’s no way a human being can do it in any sort of reasonable timeframe, it will obviously require a high degree of automation. This is where data orchestration platforms have come into play, to remove (or set aside in long-term storage, if the data is needed later for compliance purposes) the data that delivers absolutely no value, whatsoever. They also enrich, normalize, and optimize the data to make disparate data types work together and therefore make the entire dataset more valuable.

But it’s important to emphasize that most data observation and orchestration platforms really only deliver a partial solution. While they certainly help reduce the noise and make the data more actionable, most of them also add network latency, since now there’s an additional layer of analysis for the data to undergo, prior to reaching the analytics platform for assessment. That’s because most of them haven’t been architected to discover and alert on potential issues in real time.

To get ahead of these adversaries and put a stop to their malicious activities in real time, you need an observation and orchestration platform that collects data down at the device level, as close as possible to where the data is being produced, and well in front of your analytics platforms. It must also be able to collect and observe data across every aspect of your hybrid network ― with a single product. If one product collects data from physical, on-premises assets and another collects it from cloud-based devices, the platform won’t be capable of observing all of your data together, and will therefore lack context. This, of course, can lead to it missing potential issues or arriving at faulty conclusions. But a platform that collects and observes data from across your hybrid network to unify your data and observe it as a single dataset, all in pure time, has the unique ability to immediately detect potential security risks and send you alerts in real-time ― therefore buying you the precious time you need to take decisive action and get ahead of the security event, so you can stop it before it becomes a major issue.

So while a data observation and orchestration platform can certainly help reduce the data with no value, what you really need is a solution that goes the next step and helps you gain deep insights in pure real-time. It’s not enough to simply see the data better; when battling adversaries, speed and accuracy are always going to be your greatest assets.