While I was researching for this blog article, I realized that digitization is currently on everyone’s lips, used in many ways, actually only the umbrella term for the change in our society, in which everything – both in the private and in the corporate sector – becomes faster and closer meshed without being aware of the impact on society.
So, as I write in the blog articles for companies, we should actually take a closer look at the term “digital transformation”, because this transformation will mainly be going through companies in ever faster cycles over the next few decades. Comparable is the digital transformation with the industrialization in the 19th century. No one could predict the impact of this industrialization on society and companies during this time.
The German Wikipedia provides the following definition (in italics):
Digital transformation (also referred to as “digital change”) is a continuous process of change, grounded in digital technologies, affecting society as a whole, and especially businesses. The digital transformation is based on digital technologies that are being developed in ever-faster succession, paving the way for new digital technologies.
The main drivers of digital transformation include digital technologies – traditionally referred to as information technology – which include digital infrastructures (for example: networks, computer hardware) and applications (for example, apps on smartphones, web applications) and digital technology-based exploitation potential, for example digital business models and digital value creating networks.
In the narrower sense, digital transformation often refers to the process of change within a company, triggered by digital technologies or customer expectations, based on them (see Digital Business Transformation). The digital transformation, however, goes much further and beyond. It is a process of change that affects a variety of aspects of our society and does not end up in companies.
The main actors of the digital transformation are companies, individuals and communities, science (with research and teaching) and the state. These actors exert a diverse influence on each other. This influence becomes apparent, for example, when new technologies (and the use of them) also entail expectations for companies to adopt these digital technologies.
When I look at the IT security landscape with its problems today, I get scared to the max. Because already today companies are suffering:
But how should companies compete in the field of IT security (if they can’t do it today), when the digital transformation exponentially increases the number of systems and applications which create even more logfiles and events. Furthermore, the complexity will increase by the greater meshing of the systems to the near-infinite.
New company will push themselves into the market, who gain their market position through strong marketing and sales, but do not care much about the IT security of their product. In 2016 alone at DEF CON, hackers found 47 vulnerabilities in 23 IoT devices. IoT is part of the digital transformation and so it is quite conceivable that a hacked cooler shelf of a supermarket is the springboard with which an attacker paralyzes a supermarket chain.
Utopia? I think no, just enter “IoT hacks” or “IoT Vulnerabilities” into Google and see what’s going on today.
Smart home? Certainly companies will use many devices in the future to save energy and control “smart”. Again: Attackable! And if at 30 ° C outside temperature, the heating will go one you will sweat in the office more than usual.
Enough of pessimism, how can one adjust oneself from the IT security view to the digital transformation?
We have to make our SOCs and IT security departments leaner from a technical point of view, and more agile from the Incident Response’s point of view.
This means first to stop the information overload. I know companies that have to monitor 1.6 B-I-L-L-I-O-N (!) Events per day. As a SIEM analyst, once in my life I was forced to process 2 million events every hour, which had already been stored, normalized, correlated and prepared by the SIEM. I finished this job very quickly, because it was senseless.
It was simply impossible to filter out an attack from this event overkill. In addition, the data is no longer real-time (due to all this processing by the SIEM), so an attacker could have already done his job successfully before I see it. That I would recognize the attack is unlikely, because I believe that less than 1% of the Events handled by a SIEM are attack-relevant. That means from 2 million events that the SIEM issues to me are only a maximum of 20,000 important, although it is not guaranteed that it is really an attack, maybe they are just False Positives.
“Analyzing events on a SIEM is like being thirsty and trying to drink from a fire engine hose under full pressure”
The solution for the SIEM is to take away especially the IT security assets that produce a particularly large number of events and, for example, to save them in a syslog server. For revisions or forensic examinations, the data will than still be available. This category includes e.g. Firewalls, IDS and IPS. An indicator of what should be extracted from the SIEM is an analysis of how many events a source produces, what the quality of the events is, and of course, whether this log source really helps to detect attacks.
Next, the view on IT security must be changed – namely to the view of the attacker. What does he want? He aims to take over an endpoint (client or server) in order to spread activities laterally. This means that stronger endpoint security has to be set up, which outputs alerts graphically in a clearly recognizable manner (protect the target strategy).
Furthermore, we still need an APT defense, which monitors the data flow and if possible DLP (Data Leakage Prevention). Again, a meaningful graphical console should be provided to quickly detect anomalies.
You will see how effectively the SIEM can work, if the amount of data is significantly reduced. At the same time, your budget will be grateful to you for not having to expand the SIEM infrastructure (storage space, sensors) continously.
As the new, more effective graphical consoles report alerts in near real-time, employees can also act faster, especially if you have selected an endpoint security product that can interfere with the endpoint’s (attacker) processes and perhaps even allow forensic investigations and re-image of endpoints. Then your SOC Agents can start almost immediately to eliminate the problem.
I will shed more light on the problems of SIEMs and their manufacturers in one of the next articles and reveal my view on things.