You probably already know this … as the entire industry is repeating these statistics: two-thirds of breaches go undiscovered for months, and when found 70% are discovered by externally affected people.  What we find quite odd is that industry is using these data points to try and sell you more software…the same tools that have clearly failed to protect your networks.

But why are these tools failing?  Here’s what we see:

1. Perimeter defenses, IPS’s, IDS’s, firewalls, etc. are simply too rigid and they have serious blind spots.  No signature-based or automated behavioral analysis tool will ever match the cleverness of a determined, patient human attacker.
2. SIEMs alert, analyze and correlate on inherently non-trustable data because the first thing a sophisticated attacker does upon breach is to cover their tracks by changing events and logs.
3. And network packet capture tools, which at least do capture the ground truth, are either too slow, or they don’t make the right data available to analysts.  Full packet capture tools are great at forensics, but horrible at detection and triage in a real-time environment with constant, ongoing attacks – their queries simply take too long to resolve.  Netflow-based solutions simply don’t provide enough information.

So, analysts and incident responders, your best defense, are bogged down spending most of their time wrangling data from multiple tools instead of doing thoughtful analysis.  They are simply overwhelmed. Given all of this, it’s no wonder that breaches are usually detected after the damage is done.  To be blunt, your security team is simply blind to what is occurring on your network.

If you were to create the ideal security solution, what would you do?  Here’s what we think:

• First, capture the ground truth – network traffic.  This data inherently cannot be changed, and by definition, hackers must travel across the network to DO anything.
• Then, capture ALL network traffic, clean it into a single sessionized ‘logical table’, enhance with threat intelligence, and make it instantly available for analysis.  Queries even on the most massive real-time data set would take no more than 1 second.

Imagine … this would enable human intelligence to counter attackers in real-time, essentially enabling them to ‘see’ everything occurring on their network by running subtle queries.  For example, an analyst could run real-time queries looking for beaconing behavior or perhaps large data uploads from a client to a server.  With this ideal tool in place, breaches would occur, but there would never be any business damage, because detection and response would be immediate.  In essence, you would have complete network security situational awareness.

Now, I think this solution would be fantastic, but we live in a real world.  We’re constrained by database size & cost (yes, capturing all network data adds up quickly!) as well as query times on very large databases. Novetta has developed something awfully close to this ideal solution for the Department of Defense that is also available for private enterprises.  As far as we know, there’s nothing as effective at detecting and preventing damage from breaches as our cyber security offering.    To learn more, I’ve recently broadcast a webinar, titled “Why Enterprise Cyber Security Isn’t Working – and a New Approach.”  You can see a recording here.