Access to Real-Time Contextualized Information through In-Memory Computing Can Help Security Teams Spot Evolving Threats Before It’s Too Late
By Dr. William Bain, CEO and Founder of ScaleOut Software
In cybersecurity, timing is everything. Whether an attacker is looking for a misconfiguration or zero-day to exploit and extract crown jewel data, organizations must scramble to address vulnerabilities and counter attacks before it’s too late. Cybersecurity teams manage sprawling systems which generate volumes of alerts and data for analysis, but security information and event management (SIEM) software often uses tools that don’t speak well to each other, and much of the data needs to be examined offline after the fact. These challenges make it difficult to spot issues in the moment and to know when and where to act.
SIEM solutions typically log activities and enable security practitioners to create and apply rulesets that extract information for alerting within their organizations. Using dashboards that show managers raw telemetry by region or events recorded over time, they help identify possible intrusions and kill chain activity that could lead to the injection of malware or other threats. However, delayed forensic analysis of logs and the display of large volumes of aggregated telemetry makes it difficult to mitigate emerging threats as they occur. While SIEM solutions do a good job of monitoring across attack vectors, they fall short in spotting trends in the moment and providing real-time communication throughout a cyber kill chain.
Real-Time Analytics Boost in the Moment Decision Making
With time of the essence, how can we enhance current techniques and obtain insights fast enough to interrupt cyberattacks? How can we provide deeper introspection in real-time on incoming telemetry to enable fast, effective action while reducing the likelihood of false positives?
A new software technique for streaming analytics called “real-time digital twins” (RTDTs) may be the answer to this problem. This technique moves the focus from just examining patterns within data streams to monitoring the dynamic behavior of data sources, such as nodes within a large network infrastructure. For each data source, a separate RTDT software component incorporates evolving information that helps analyze incoming messages and update a dynamic assessment of the data source’s condition. This approach yields a significantly deeper understanding and better, faster decision-making on whether to take action to block a threat which cannot be achieved by just looking at data within an incoming message stream. As a result, RTDTs have the potential to rapidly accelerate the execution of SIEM algorithms in detecting malicious attacks, correlating events, and possibly intervening in time to halt an attack without reacting to false positives.
The power of RTDTs is made possible by in-memory computing techniques, which can ingest, store and analyze large volumes of incoming data within milliseconds. This technology creates new opportunities for SIEM software. Instead of just storing incoming events, an in-memory computing platform can correlate and analyze them by data source as they arrive. This could enable SIEM software to maintain a real-time threat assessment for each network entry point or node that sends events to the system for analysis. Instead of requiring security analysts to analyze logged events to build a picture of an evolving attack, they could use RTDTs to continuously analyze telemetry from every data source within the network infrastructure, and they could visualize the results of this analysis in real time.
Mapping and Improving Communication Across the Network
Using RTDTs, organizations could integrate event tracking in memory with associated contextual information into existing SIEM solutions and react to potential threats in milliseconds. Many SIEM solutions maintain agents that are distributed throughout an organization’s networks to report suspicious events that might signal a threat. Instead of just adding these events to a dashboard and logging them for offline analysis, they also could track them using RTDTs. Each RTDT could immediately run a machine-learning algorithm to classify activities, eliminate false positives, and signal alerts to security managers, engineers, CISOs or other key stakeholders when threats or lateral movement risks are predicted.
Beyond that, RTDTs could communicate with each other to help isolate an evolving threat. For example, when an event includes information indicating a connection and possible threat to another network node, an RTDT could message the target node’s RTDT to improve its threat assessment algorithm in spotting suspicious behavior and interrupting kill chains. Sending messages between RTDTs to track the progression of an intruder within a network could enable the system to build a real-time map of potential kill chains and possibly get ahead of an assailant to block threats.
Strengthening Security and Time to Action
By harnessing new approaches for real-time analytics, as made possible with in-memory computing hosting real-time digital twins, cybersecurity teams can make use of new technology for monitoring and intercepting active threats. This technology can also strengthen current industry tools, such as SIEM software, to improve communication and context sharing throughout networks. Now organizations have a new weapon for moving from post-attack analysis to identifying an attack in the moment and stopping it from happening at all.
About the Author
Dr. William L. Bain is the founder and CEO of ScaleOut Software, a leader in developing software products to enhance operational intelligence within live systems. Over a 40-year career focused on parallel computing, Bill he has contributed to advancements at Bell Labs Research, Intel, and Microsoft, and holds several patents in computer architecture and distributed computing. He earned his Ph.D. in electrical engineering from Rice University. Bill can be reached through email, LinkedIn and the ScaleOut Software Website.