The massive data breach of US retailer Target was a wakeup call for senior business executives too often disengaged with cybersecurity issues, but surging ransomware attacks are honing CxOs' attention on the need for automated analytics tools to detect security breaches as they happen - rather than months later, or not at all.
Forensic examinations of major data breaches invariably show a string of telltale signs that might have triggered alarms, and the suspicions of security specialists, had they not been buried in an avalanche of security logging information that is overwhelming even the most determined security staff.
One large US customer, for example, relies on security vendor LogRhythm to collect and sift through what amounts to around 4 billion security logs and other information every day. Even with aggressive filtering of information in near real-time, however, this volume of information still produces 10,000 to 20,000 action items that need investigation.
For even moderately sized businesses, this is the reality of security monitoring tools that have gotten better at collecting data but are still struggling to reduce it to manageable size. This has fueled a stubborn gap between the time a security incident occurs and the time it is detected - often many months later, after mountains of sensitive data has been surreptitiously stolen.
It is in filtering this 10,000 to 20,000 items down to a manageable size that threat-analytics firms like LogRhythm have emerged as lifesavers for corporate IT-security teams that have been struggling to keep up. By applying intelligent algorithms that cross-correlate collected data logs, the company's tools help filter that volume of alerts down to a manageable number.
"By corroborating those alarms with additional algorithms that take multiple dimensions into consideration and risk-score them, we produce about 50 actionable alerts every day," explains Bill Smith, senior vice president of worldwide field operations with LogRhythm.
"Because we're able to bounce it against more things, we can bring it down to a reasonable level. Fifty alerts a day is no problem to handle when you're a Fortune 500 company."
Breaking the ransomware attack chain
Such detection mechanisms have become a front-line defence in the right against advanced persistent threats (APTs) - which quietly infiltrate a company network and may download the actual malware threat later, once they have run extensive reconnaissance on the network established a beachhead from which to exploit it.
Yet with the right processes, real-time analysis is also proving promising against the malware threat that has emerged as the most insidious problem facing corporate networks today: ransomware.
Due both to the success its purveyors have enjoyed and the availability of increasingly-effective ransomware kits, this type of attack - which encrypts a victim's files until a fee is paid to unlock them - has become far and away the most common threat facing businesses this year.
Sign up for Computerworld eNewsletters.