Firms are focusing security efforts in the wrong place, putting everything into blocking criminals instead of doing more to spot them once they've broken in, according to HP's head of security.
Research suggests 86 percent of security spend goes on keeping hackers at bay, according to Art Gilliland, HP senior VP and general manager of enterprise security products. But intruders spend on average 416 days inside a company's computers before being detected.
"So for over a year these bad guys are inside and the systems that [companies] had in place weren't able to find them. In the end they didn't even find them themselves; 94 percent of the time somebody else has told them," Gilliland said.
"It's relatively complicated to get these folks out because you didn't see them in the first place. You don't know where they are. You try to build the bridge back from the data that you know they've stolen but where else are they? What other places are they hiding? In the research we did recently it takes 71 percent longer today than it did two years ago to get these guys out," he said.
Stages in the breach process
According to Gilliland, the answer is to stop allocating all the organisation's resources to blocking and start building capabilities in other stages of the breach process.
"You need to think about each of the stages of that breach as a place where you need to build your defences. The area where I think we have most promise in the short term is in finding the adversary after they've broken in but before they've stolen data," he said.
The breach process can be broken down into five distinct phases in a chain originally devised by Lockheed Martin, according to Gilliland. The first stage is research, when the would-be intruders study systems and staff, a process made far easier by employees' fondness for Facebook.
Stage two is infiltration — when the criminals break in — followed by the third phase, known as discovery, which involves mapping the internal environment to survey systems and identify the location of the most sensitive data. The fourth step is capture.
"High 90 percent of the time it's intellectual property or customer data or some sort of information. We are obviously seeing physical destruction as well but it's pretty rare — I can think of three times in the past five to 10 years. It's Stuxnet, it's Flame, it's those kinds of technologies — usually more cyber-war types of technologies, not the typical crime," Gilliland said.
Finally comes exfiltration. "That's the fancy military term for 'Get the data out of there'. That can be electronic, encrypt it and send it out through port 43 and SSL communication — that's hard to see. Or if I know that the marketing group has really cool customer data, I break in and steal a bunch of laptops," he said.
By concentrating security investment in the second stage of the breach chain, organisations have inevitably left themselves vulnerable, particularly in the vital third phase before the intruder has stolen anything.
"If you look at the breaches today, they are typically compromising user credentials. They steal my passwords and then they look like me. So you actually want to be able to find weird behaviour," Gilliland said.
"There's a profile I follow and if my behaviour goes outside two standard deviations from that normal behaviour, you should probably investigate that."
Tools developed for big-data analysis come into their own in this role, according to Gilliland.
"In security we've been doing big data for a very long time. We just didn't have the new tools. Building columnar databases, using MapReduce and using some of these really cool technologies actually allow us not only to integrate the technical data but also the user and information flow data," he said.
"There's no way we could have done that before because you would have had to consume so much data that by the time your systems had cranked all that stuff out it would have been too late."
Operations teams' security expertise
However, while big-data technologies can help make security response faster, the real challenge facing most companies lies in the capabilities of their users and the expertise of their security operations teams.
"These technologies, unlike blocking technologies like a firewall or antivirus, don't work on their own. It's like having a really nice car sitting in your driveway, gassed up with the keys on, lights on — we can help you do that, we can help deploy it and put it in there but if you don't get in and drive it doesn't go anywhere," Gilliland said.
"Yes, we can help create the self-driving car a little more and it can be more facilitated but again those will be simple things. If you want to find a really determined adversary, you're going to have to operate it, you're going to have to go off road, you're going to drive that thing yourself."