Why – despite SOC and IR team effort and time spent on analyzing suspicious SIEM events and flashy UBA dashboards – do attempts to detect hacker and malicious insider attacks still remain undetected for months?
Because SIEM and the context analyzed by UBA tools cannot answer the following critical questions:
- “What client records were exposed in times of a breach?”
- “What is the business impact of the regulated data exposed to various suspicious IPs / infected devices?”
- “What VIP client data was accessed by an employee in their last weeks before being fired?”
- “Which records were updated in your financial apps by privileged accounts?”
SIEM and related UBAs depend on disparate sensors – WAFs, DAMs, IDS, Firewalls and DLPs. These sensors/agents do not tell you how many records were exposed and the business impact of their exposure, AND applying the best machine learning/User Behavior Analytics on the clutter would merely produce lesser false positives, yet will not detect the false negatives hiding between hundreds of events.
With hackers, bots, aggregators and malicious insiders shifting to new-old methods like credential theft and adversaries demonstrating similar behavior to the “normal behavior”, looking at disparate logins, IP sources and end-points is a waste of resources. Evidence is simply not there no matter how much machine learning and computer power you apply.
WAFs and DAMs tools were developed to protect against the traditional challenges like SQL Injection, XSS or assist in SOX compliance, in a contained and siloed manner, not to provide evidence across your high-risk web and enterprise applications – thus having breaches go undetected for months.
After inventing dynamic masking, growing and selling my first company I realized that we need to go back to basics. Like Sherlock Holmes call: “Data! Data! Data! can’t make bricks without clay!“ – getting evidence and acting instantly before damage occurs. This is what our organizations and executives expect from us. This is what we expect from ourselves.
SecuPi team comprising of Israeli best talent, has built a platform that uses a light agent on these high-risk applications – producing insight and evidence to the entire data exfiltration and risky transactions instantly. Overcoming blind spots caused by connection pools, caches, network encryption and non-relational data sources (somebody supports Epic/Cache??)
We’ve added on top of it a layer of profiling and peer comparison to assign risk scores to individual events based on corresponding data sensitivity and business impact, integrating with all SIEM platforms – this immensely enriches the SOC and IR teams and is a true game-changer.
In addition, our agents impose central access privileges across high-risk applications that ensure sensitive and regulated data is provided on a “need-to-know” basis as required by industry and privacy regulations.
We built it from the ground up, the way it was meant to be built to address today’s challenges, not as patches between different solutions that desperately fail to talk to one another. Instead, we built a powerful and smart solution that shifts the power back to the good guys.