Why there are Never Enough Administrators’ Eyes and Why They Must Be Helped
2016-03-22
Ľuboslav Tileš, Sales manager ANASOFT
Perhaps it has already happened to you or someone around you. When a doctor tries to come up with a diagnosis for a certain medical condition, he does not always have all the relevant information. If he has no knowledge of something significant, he may evaluate the situation improperly and get the wrong diagnosis, or downplays the severity of the patient's condition subjecting the patient to unnecessary risks. According to the American Journal of Medicine, 10 to 15 percent of diagnoses by general practitioners are erroneous.
A similar situation is also encountered by administrators of computer networks or IT security professionals. Not only do they face a growing number of attacks and threats – according to a survey conducted by a consulting firm PwC, in 2015 the number of security incidents worldwide increased on a year-to-year basis by 38 percent. Attacks are also becoming increasingly sophisticated and – as in medical diagnostics – they cannot always be detected solely upon a single symptom. Admins, as doctors, often lack a comprehensive vision.
Some events, or activities, look harmless on their own, however, in a broader context they can complement the mosaic of a sophisticated cyber-attack. No administrator can focus their eyes everywhere and monitor what happens simultaneously in all systems and devices – from servers, storage locations, firewalls, network elements, across different applications and databases, to the attendance system.
For example, the administrator login on a critical server from an unusual location may not be suspicious in itself. Yet if unusually large amount of data leaves at the same time, it may indicate suspicious activity that needs to be at least verified, or stopped at best.
An attack of any of the computers in the network by a virus is a relatively common occurrence that inevitably happens from time to time in larger companies. Their retrieval and removal belongs to the normal routine today. However, it may escape unnoticed when a few days later the files in data storage begin to change, because employees usually work with data within the company network. An administrator may not see the connection in a viral infection and changes in the data. Yet it may be a virus that encrypts data unobtrusively to later ask someone from the injured company for "protection money" for decrypting.
There are countless similar scenarios. To notice threats that require admins to have eyes in more places simultaneously and immediately evaluate the possible connection, it is, therefore, better to look at information security - figuratively speaking - from a broader perspective.
Within the holistic approach the companies use SIEM tools (Security Information and Event Management), which not only collect data on incidents (i.e. logs) from multiple sources simultaneously, but they also immediately evaluate and analyze them. Thus they greatly reduce the risk that some threats overflow between fingers of the network administrators. Of course, the system separates the grains from the chaff and highlights only a small percentage of relevant suspicions. Administrators are thus not required to address dozens of false alarms and have more time to address the real risks.
Not using SIEM does not mean that your network is not secure and data are at risk. A reasonable level of security can always be achieved in two steps. First, the perfect setting of each element of the technological infrastructure. Second, enough specialists who will constantly closely monitor all the technological features and inform each other of incidents or suspected incidents, while looking for possible links between them.
If your company meets both criteria and if such security is effective, you have nothing to consider. For others, it is worth considering whether it would be better to help administrators with a SIEM tool that is able to handle a larger onslaught of security incidents, while perceiving broader links between them.
More articles
Don’t Be Fooled by the Illusion of Security
