In a world of more sophisticated threats, a dispersed workforce, and greater demands on their time, cybersecurity leaders must identify what comes after zero trust, security orchestration, and other practices that help organizations remain resilient in the face of rising attacks.
While there are no panaceas, experts say emerging technologies and operational practices can tilt the playing field in their direction. We asked several security experts to weigh in on the cybersecurity technologies they believe will matter most in the coming years, and the critical challenges they’re expected to solve.
The common theme across these conversations is a set of tools and strategies that addresses cybersecurity as a data challenge.
“Security has always been an asymmetric game that favored the attacker, because all they had to do was make one little change from known patterns,” says Santosh Krishnan, general manager for security, Elastic. “But by utilizing and analyzing data from more sources, we can detect attacks we’ve never seen before and give the advantage back to the good guys.”
The data analytics-driven SIEM
For more than a decade, big companies have used security information and event management (SIEM) systems to keep track of security-related data and alerts, in part to satisfy compliance requirements. They remain a key investment for cybersecurity teams, says Krishnan, because they maintain a “single source of truth” of cyber-related activity. But CISOs should also use SIEMS more proactively, adds Krishnan. By using modern SIEMs that leverage powerful data tools, security analysts can use them to spot suspicious anomalies as they occur, rather than after the fact.
“The name of the game now is data analytics,” says Krishnan. “The SIEMs of the future need to be customizable, scalable, and fast,” says Krishnan. They need to be able to observe and protect across every system, every workload, whether they are on-premises or on the cloud.”
A wider view of the attack surface: XDR
For the past decade, the state of the art in cybersecurity was to have disparate systems in place to shut down obvious entry points for attackers. Companies used endpoint detection and response (EDR) platforms to secure employees’ devices, network security systems to secure the corporate network itself, and other systems for monitoring cloud applications, storage systems, and the like.
[New analysis from 451 Research, part of S&P Global Market Intelligence, highlights how CISOs can partner with CIOs on security and observability]
While this fragmented approach worked in the past, it doesn’t work efficiently enough for today’s increasingly sophisticated attacks, such as trying to sneak a payload of malicious code through many channels all at once. Even if EDR spots a file it knows to be compromised on a laptop, the payload might well slip through another system outside the purview of EDR. Conversely, an EDR often operates without the benefit of telemetry collected by other systems.
That’s where extended detection and response (XDR) platforms come in. They expand the capabilities of both SIEM and EDR by gathering data from a broader set of IT systems, including endpoints, cloud applications, and mobile devices. Then, with the help of machine learning models to crunch all that data, XDR tools create “extended” policies to synchronize the efforts of these systems.
“Many of today’s attacks are specifically designed to evade the siloed detection and response capabilities most companies have today,” says Krishnan. “By bringing together all those disparate data sources and using big data analytics backed by machine learning, an XDR can find correlations that used to slip through blind spots. You’re not limited to looking for known attacks, or attacks through the lens of a single IT system, but you have a better chance to find any anomalous behavior using data from across the entire organization.”
“XDR does a good job of breaking up silos,” says Javvad Malik, lead security awareness advocate at KnowBe4, a platform for security-awareness training. “It brings security intelligence that hasn’t really come to many organizations.”
Using AI to counter insider threats
People inside organizations continue to pose the biggest security risks, whether succumbing to phishing attacks or maliciously compromising confidential information. And sometimes the insider isn’t a person, but a hijacked server.
That’s one vulnerability that user and entity behavior analytics (UEBA) software was designed to solve. It uses machine learning to compare the normal actions of a person or a machine with behavior that might predict an attack, and alert security teams.
“You can narrow down the repetitive activities that users perform every day, and use machine learning to predict their routines,” says Don Cox, CISO for American Public Education, a provider of higher education programs and services.
“With that daily information, UEBA solutions can alert you that an HR person is accessing a folder marked ‘Finance,’ and ask you whether they should do that.”Learn how to unify data visibility for better threat detection and response.