Matthias Maier, security evangelist, Splunk
Matthias Maier, security evangelist, Splunk

In this age of the inevitable breach, businesses are spending millions of pounds every year preparing for external security threats, whether it be viruses, APTs or other vulnerabilities. However, they are still in the dark when it comes to looking at, and dealing with, the bigger picture. Most businesses still focus on traditional perimeter and system-based security prevention technologies, without understanding the real security threats in more detail. 

Results from a recent study by IDC looking at business views on security breaches found that only 12 percent of businesses are worried about the threat posed by an internal user. However, in the same study 67 percent of respondents indicated that virus attacks and other malware are the biggest threats to their business. This highlights a disconnect between business perceptions and reality, as in fact internal employees are responsible for about 30 percent all data breaches today. Businesses are clearly thinking about the security threats that endanger their IT systems everyday – but they have their priorities mismatched regarding where to start tackling them.

Are businesses simply looking in the wrong place, or are they in denial that their employees or partners could unintentionally be the biggest danger lying in wait? While prevention is always considered to be a better option than repair, in the age of the inevitable breach, that simply isn't possible anymore. Detect and respond is the next best option.

Hapless users are entirely unintentional in the loss and destruction they cause by allowing their access and/or credentials to be hijacked. The main cause of breaches by hapless users occur when security solutions have got in the way of individuals being able to perform their job efficiently. If that happens, then they will look to find the quickest and easiest workaround, which often tends to be the least secure – whether that be writing passwords down, or storing them all in an unsecured document. Perhaps some employees don't have access to certain parts of the IT network and have borrowed logins from a colleague in order to complete a job. None of these actions are undertaken with malicious intent, simply that those employees are unaware of the true consequences of their actions. The biggest issue that this highlights is a failure to educate users properly on security protocols and the implications when they aren't followed.

While the majority of European businesses aren't currently worried about insider threats, they are very worried about the problems caused by them. Threats including compromised accounts, theft of company data and unauthorised access to confidential company data were all registered by 40 per cent of European businesses as “Very important”.  These could all happen directly as a result of hapless user activity.

One of the key problems with fraud or data theft is that the full impact is often not fully realised or understood until considerably after the incident when a detailed forensic examination is conducted. Businesses that don't have an analytics-driven approach to security often fail to perform these examinations properly, meaning they don't discover the full extent of the problem until much later and, more importantly, don't learn from the mistakes made. By being able to analyse machine data from across the entire IT estate, organisations can better understand when and how potentially fraudulent activity has occurred. They can then utilise tools like machine learning and anomaly detection to help automate the identification of suspicious patterns and potentially fraudulent activity by users. However, IDC research shows that too small a minority are using forensic investigation systems and analytics capabilities.  At present, only 12 percent of businesses are currently using user-behaviour analysis and only 18 percent of businesses have an automated detection and response system in place.

In the current age of the inevitable breach, businesses need to be fully prepared. That means adopting a detect-and-respond mentality. With external threats evolving all the time, as well as internal employees accessing different parts of the network, it's never been harder for businesses to keep tabs on all the dangerous activity that could potentially occur. An analytics-driven approach to security is one way to keep on top of all of those threats by providing organisations with the intelligence to expose risk and to be able to address dangerous trends before they causes disruption and damage.

Contributed by Matthias Maier, security evangelist, Splunk