Automated tools, big data use in security 'limited'
Automated security tools and big data can only help to sieve out regular and linear attacks, and are relatively ineffective against human-led attacks by sophisticated cybercriminals. They are also unable to match human analysis on threat data.
According to Gavin Reid, manager of Cisco Security Incidents and Response Team (CSIRT), automated security tools and big data are still commonly used in the detection of security incidents and cyberthreats in company networks.
Automated tools which include Web proxies, antivirus and firewalls can detect basic malware threats such as spam and drive-by-downloads which many people out there face, Reid told ZDNet Asia in an interview here Tuesday.
Big data, has also been increasingly used to detect security incidents and gain a broader understanding such as what the different hosts are doing and comparing historical records, he added.
However, they have "limited usage" and are ineffective against advanced cybercriminals who have proliferated across the world, Reid remarked.
Automated security cannot detect human-led attacks by hacktivists and sophisticated cybercriminals, Reid pointed out. These attacks, such as advanced persistent threats (APTs) are often stealthy and good at hiding within a company's network, he explained.
Similarly, the analysis of big data can only be applied to linear-styled attacks, he added.
For instance, detection of denial-of-service (DoS) attacks is linear because there is a sudden spike in bandwidth within the network and this is easy to find, he noted. Another example is credit card fraud, where the pattern of a user's credit card usage is predicable, he added.
Many companies have had the "best and most expensive tools" and large investments in data mining, but still have their network compromised or attacked, Reid warned.
Don't rely too heavily on tools
He also noted automated security tools and big data cannot be used to replace humans because such computerized instruments cannot understand and react well to what humans do to a network, or "do better than them".
"[Only] a human [can] figure what another human is going to do," he said.
However, he maintained such tools are still necessary, but are "not the overall picture". They have aided security professionals to preserve basic security and gain a complete understanding of the network but should not be used solely to detect anomalies in a network infrastructure.
Having automated tools on your network are better than having none at all, because they are able to detect basic attacks that hackers such as worms, Reid added.
"Automated tools and big data can extend your reach and simplify your workload but they can never replace the way humans think," he said. "They can only make your job easier."
Along with automated tools, there must be people or computer emergency response teams to investigate threats, analyze the data mined and have the ability to pick out what is normal, he advised.