retailciooutlook

When Multi-layered Makes Sense: A New Approach to Breach Detection

By Grant McCormick, CIO, Imperva, Inc

Grant McCormick, CIO, Imperva, Inc

Earlier this year, my organization’s Board of Directors asked me to present on cyber security. As CIO of Imperva, a cyber security technology company, I wasn’t surprised or apprehensive. We are serious about security at Imperva. We do an excellent job of fortifying traditional defenses, deploy our own technology to protect critical data and applications, and regularly commission third parties to run pentests on our environment.

The Board’s first question was one that’s probably on the minds of many C-level executives: “How do we know if we’ve had a data breach?” I gave them a satisfactory answer: In addition to our protective defenses, we collect and manage a tremendous amount of log data, which our very capable staff analyzes for evidence of attacks. But as I thought about it, I realized that although this approach is industry standard, it leaves a lot to be desired.

Manual detection is slow, resource-intensive, and human-powered. It is subjective and prone to human error. It bogs down at scale. Perhaps most critically, it takes place after the fact. If we’re under attack, we may not know until the damage has been done.

We were missing a layer. We needed to establish a progressive capability to detect breach activity in real time, including the areas between perimeter, end points, core data and applications.

Cue the Search for a New Solution to Add to Our Stack

We ran the typical route: started with the analysts, read the reports, compared vendors and consulted peer companies. The five solutions that made the short list set up proof of concept systems around network and end point protection, log data analysis, and data and application monitoring. That much was the conventional approach. Now the unconventional part: with these POCs in place, we simulated a real attack via our external pentest consulting firm. The external pentest firm did not have any knowledge of the Security Breach Detection POCs. In our mind, this was perfect.

This setup allowed us to assess which solution delivered the best against our criteria: how well they were able to pick out the 20 real events from 20,000 log events.

What we found surprised us.

No single vendor excelled across every phase of the security breach lifecycle. Each solution, including our own, performed well in one, sometimes two phases, but none provided continuous coverage from reconnaissance, through lateral movement, to data and core access and finally exfiltration.

Consolidation is the name of the game in IT today. Fewer vendors mean fewer integrations, contracts, upgrades, and hassles. We assumed we would find one tool that would fit our requirements. We were wrong.

The emerging market for breach detection demands a cutting-edge strategy. Instead of settling for a one-size-fits-all solution, we took a deliberate multi-layered approach. We built our breach detection strategy around three zones of protection: network and end point, log data, and core data and applications. By deploying tools that targeted each of these layers including the Imperva CounterBreach solution that uses machine learning to analyze how users access data in order to spotlight dangerous data access and use, we constructed a security stack that delivers best-in-class detection without compromise. In short a trifecta of coverage and capability.

New threats demand new defenses. Rather than hinder our progress, the three-pronged approach to breach detection ended up being the most efficient and effective. A multi-layered within multi-layered stack may sound like a nightmare, but instead, it works to prevent one.