Why SMBs are struggling with security analytics
Mon 5 Sep 2016
Tom Rowley, Security Strategist, Savvius, looks at the unique data security challenges facing SMBs and opportunities for effective analytics support…
As cyber attacks of varying shapes and sizes continue to garner headlines, businesses that require secure networks are scrambling to find ways to protect themselves and avoid being the next victim of a highly public and damaging hack. But perhaps they aren’t directing their energies in the best ways.
In the past, organizations were primarily concerned with detecting and preventing breaches. These are only two of the three components of a strong security solution – incident response is also critical. Only larger enterprises spent significant sums of money on network security, primarily due to cost and the fact that these companies were the ones most likely to be targeted.
But the cyber security landscape has changed dramatically in the last several years, and we are now at a point where small businesses are taking online security much more seriously and turning their attention to new security tools that go beyond detection and prevention.
Now we’re seeing the rise of security analytics. Earlier this year SC Magazine released the results of a survey that captured responses from nearly one thousand IT and security professionals. Almost two out of three people responded that their companies were in the process of implementing some kind of security analytics program.
Security analytics (also called ‘post-breach forensics’ or other similar terms) is a new and somewhat poorly-defined term for storing, interacting, monitoring and visualizing log files, network flows and IP packets in real time, for later analysis, as well as managing Big Data security feeds or large data streams.
72% of the survey’s respondents were from small and medium-sized businesses (SMBs) with fewer than 1,000 employees. The conclusion was that SMBs are realizing the importance of security analytics, and although few have gotten to the point of actually implementing these systems, many have started planning their own programs.
Roadblocks to security analytics
It’s encouraging to see more organizations taking security seriously, but SMBs are in for a great deal of work in order to set up an effective security program. In general, the major obstacles against security analytics programs (or any security program in general) are the initial cost of the software and/or hardware for capturing the data combined with a lack of expertise and trained staff. These apply to enterprises of any size, but cause more problems for SMBs for several reasons.
One, the shortage of trained staff makes it especially difficult for SMBs to use security analytics tools effectively. Modern security analytics tools are designed with the assumption that they will be used by trained and experienced investigators. It’s unlikely that an SMB will have a dedicated security expert on staff, so they will not be able to use these tools to their full capabilities, if at all.
Buying the right monitoring software won’t do any good if not one member of staff can understand and interpret the data. For this reason, investing in expensive security analytics tools is often not the best use of funds, especially for an organization with a limited budget.
Additionally, cyber attacks targeting SMBs have increased because the ability to automate attacks makes it lucrative for malicious actors to target them. Historically this hasn’t been the case. SMBs tend to have few monetizable assets and a small web presence, so attacking them was not worth the time and effort.
Attackers will naturally gravitate toward attacking SMBs as low-hanging fruit
In the last few years, the dark web has made it easier and cheaper to sell stolen data, advanced automated attack suites developed by experienced hackers are being packaged and rented to relatively inexperienced attackers, and hackers have developed automated, low-cost attacks like ransomware where they get paid directly with no darknet market required. All of these factors have changed the economy of cyber attacks and made SMBs more attractive targets.
Since they have not been targeted until recently, many SMBs have only very limited practical experience – and often a false sense of security – with real assaults. A recent study published by Enterprise Management Associates found something similar that they termed the “bravado factor.” In general, surveyed companies reported that they were extremely confident in their security systems, but the number of alerts these systems were generating led analysts to conclude that either their IDS/IPS devices weren’t properly configured or that the IT team must simply be ignoring most of the data. So while enterprises usually feel that they are protected, in reality, they often aren’t. The lack of trained staff exacerbates this problem for SMBs. As a result of all of these factors, attackers will naturally gravitate toward attacking SMBs as low-hanging fruit.
Preparing for an incident
What can SMBs do if they experience a data breach? Most of the time it’s in their best interest to call a professional. Independent security contractors deal with cyber assaults every day and have extensive training and experience with these situations. In most instances, contracting one of these teams is the most cost-effective approach to intrusion response.
The real question becomes, “What can an SMB do to prepare for an incident?” The answer is two things: retain a history of the enterprise’s relevant computer activities – network traffic, host logs, security device alert, etc. – and install and monitor as many security intrusion detecting systems as economically supportable.
Capturing all of a system’s network traffic is not realistic since the cost of storing all that data for a decent period of time would be enormous. The strategy is to have the local team be the “tripwire” that detects an assault and then calls in experts to track down and remediate the attack when needed. In doing so, it’s important that they be as honest as possible about their own level of preparedness, train and prepare their IT staff as much as possible, and acknowledge that they might need help if an emergency happens.
There is a growing consensus at high levels that data security needs to be taken seriously
For this strategy to be successful the SMB needs to have the capacity to store network information (packets) and host logs for extended periods, often a year or more. Even SMBs with substantial investments in malware detection will miss some attacks, which might not be discovered for months. Research by Trustwave reported by Computerworld UK claimed a median time of 87 days from breach to discovery, with some outliers that were much longer. Without a record of the initial attack, resolution will be difficult even for a team of expert investigators.
So while SMBs face a unique set of challenges when it comes to security analytics, it’s still possible for them to benefit from these programs as long as they are pragmatic about how they are implemented. 58 percent of respondents to the SC Magazine survey said that their company’s upper management had an adequate or better understanding of data security, and only 12 percent were “uneducated about security and unaware of the need to improve.”
There is clearly growing consensus at high levels that data security needs to be taken seriously and I’m optimistic that businesses of all sizes can use security analytics to help keep themselves and their customers’ data safe.