Today you are likely to have between 5 and 9 protective defenses on your network. These typically include host AV, NGFW, IPS, web and email gateways, DLP, SIEM, and web application firewalls. While these defenses provide protection against known threats and bad destinations and communications, advanced threats and targeted attacks evade them to the benefit of cybercrime.
Case in point, forensic research notes a persistent threat can infect in minutes, hours or a day for over 80% of cases reviewed. But on the detection side, these infections and compromised systems are detected after weeks, months and even years for nearly 80% of the cases. This gap is too wide, with the average in 2013 being 243 days according to Mandiant. Allowing a cyber exploit to operate for several hundred days within your network undetected is not a good thing.
The future of security defenses is post-protection analysis to detect who, where, how and what data has been impacted by malicious activity. Even with 9 or more protective defenses lined up as a secure perimeter around your network, attacks will get inside and go undetected. To augment these traditional defenses, continuous monitoring cycles using critical security controls and analysis of logs and network traffic seek to detect probable malicious events and anomalies to shorten the time between infection and detection.
Given a mid-sized company can produce nearly 1 TB of logs per day, too much for humans to analyze, and this data needs normalization to be useful when aggregated, an economy of scale is required for success. While a DIY approach is common within IT, this problem is beyond most IT departments’ skill sets, time and resources. A shared platform and architecture provided as a service solves availability and affordability issues.
Also, the human factor becomes more important in the future of security defenses. Visualization and views that expose possible malicious events enable the human eye to quickly analyze the situation faster and more effective than what we can program with computers today. The future of security aggregates logs and network traffic into visualizations and views the security engineers can quickly assess via continuous monitoring cycles.
What do you think? Is continuous security monitoring critical to keep ahead of network threats? Are you doing it now?