By Albert Zhichun Li, Chief Scientist, Stellar Cyber
Almost since the beginning of network security, vendors and practitioners have wrestled with choices between going deep and going broad for their security solutions. Mostly, the choice varies between predominantly one or the other. Going deep typically means careful monitoring and analysis of certain types of threats or behaviors at the cost of not examining a much broader range of activity. Solutions that are broader may lack the clarity and fidelity to make fast, accurate alerting. They also may miss important indicators.
The battle to protect data, systems, users and networks has been far from easy. Today, a more interesting headline might announce when a data breach has not occurred. The odds are heavily in favor of attackers to penetrate a network and have free rein to engage in theft or damage. These high-value attacks are human-run and employ multiple approaches over a period of time. The now commonly acknowledged north, south, east and west type of activities work for an attacker to systematically, and sometimes serendipitously, accomplish their mission. One step, such as reconnaissance through some kind of scanning, will lead to a next and a next. This reality means that both depth and breadth are important if an organization has any hope of curtailing an attack.
As solutions for eXtended Detection and Response (XDR)—and perhaps other categories of solutions—emerge, one of the more important questions they will have to face is this ongoing one between depth and breadth. Depth and breadth can work together to ensure higher fidelity alerts with a low number of false positives. The ability to understand potential attacker activity with detail as well as context can make all the difference in flagging something that is truly important. To be productive, activities must be identified that are both abnormal and malicious.
Breadth is important since attackers use multiple tactics, largely sequentially. The ability to see the connectedness between events gives security groups a substantial advantage. This “seeing the forest for the trees” can identify something that might otherwise be missed or provide the fidelity to prevent “crying wolf” too many times. Breadth can also unify the strength of individual security solutions, each with its own area of expertise and specialization.
Depth brings important details and may answer a number of the “who, what, where, when, how” questions. EDR systems, for instance, are best at understanding endpoint activity, CASB solutions are primed to make sense of certain cloud activities. UEBA tools help examine who did what on the network.
Of course, it is simply not possible that one tool or system can do everything with full expertise and precision. This is why the idea of not only integrating but also aggregating key findings from a myriad of tools is so powerful. Sharing “the best of” from each system ensures that the whole is more valuable than sum of the parts. In this way, breadth and depth can combine and work together to minimize any tradeoffs of design to produce better results.
Breadth should also work to fill any gaps between detections provided by various systems that might exist. Usually this means gaps in scope, but sometimes it might mean limitations or delays in what data is provided by a security system and when. Sensors can help fill this gap that inevitably exists. Logs may also provide supplemental information, but they generally cannot be depended on for timely insights and may be limited in what is captured. They can also be manipulated.
Depth and breadth are good things, and vendors and practitioners should continue to build expertise in both areas. Still, to gain an upper hand against attackers, organizations cannot afford to choose between the two. Uniting these two dimensions will help even the odds.
About the Author
Dr. Albert Li is a world-renowned expert in cyber security, machine learning (ML), systems, networking and IoT. He is one of the few scientists known to heavily apply ML to security detection/investigation. Albert has 20 years of experience in security, and has been applying machine learning to security for 15 years. Previously, he was the head of NEC Labs’ computer security department, where he initiated, architected and commercialized NEC’s own AI-driven security platform. He has filed 48 US patents and has published nearly 50 seminal research papers. Dr. Li has a Ph.D. in system and network security from Northwestern University and a B.Sc. from Tsinghua University. Albert can be reached online at firstname.lastname@example.org and at our company website http://www.stellarcyber.com.