The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting, remediating or investigating incidents, especially at scale. New solutions are needed that enable IT operations and incident response teams to move quicker and act smarter across distributed networks, distributed clouds, and OS platforms while maintaining scalable performance.
The government would also benefit from reexamining the thinking behind how it approaches cybersecurity. A reevaluation of the efficacy of siloed efforts could help the government move from a layered approach to a more holistic approach. Siloed tools—which collect fragmented and outdated data—create a disconnect between the detection and remediation of security issues, making it much more difficult to boost the cybersecurity posture of the government as a whole.
Security teams rarely need more threat intelligence. Rather, more often than not, they need better ways to take advantage of the wealth of threat data already available to them. Currently, organizations lack the means to analyze a high volume of complex data and remediate issues found at the speeds necessary to stop attacks already underway. In order to adopt threat-aware proactive hunting and defenses, businesses require the ability to scan and query for malicious indicators or artifacts across hundreds of thousands, or even millions, of systems simultaneously and continuously through automation without any significant impact this may have on the network and endpoints. They need to be able to execute fast, accurate and complete hunting at scale across the enterprise while remaining trivial in terms of resource consumption and traffic generation at all times. In addition, solutions need to be able to export real-time and complete data to external systems for analysis, visualization, reporting and decision support. Whether it is process, user and connection data being sent to SIEMs, or hardware asset and inventory information updating a CMDB as soon as changes occur, information needs to be accessible at any scale and immediately actionable in order to establish competent proactive defenses.