HPE Aruba Networking Blogs

Data Breaches are Inevitable. Get Ready Now

By Mark Verbloot, Senior Director, Product, Solutions and Systems Engineering, Asia Pacific Region, Aruba

Cybersecurity is a hot topic among our customers across the South Pacific, and it's getting hotter. Businesses must protect themselves against unprecedented criminal cyber threats and safeguard their sensitive data and corporate reputations. To add fuel to the discussion, Australia's Notifiable Data Breach Act goes into effect in February 2018.

According to the new law, Australian businesses with a turnover of more than AU$3 million and Australian government agencies must report any "data breach that is likely to result in serious harm to any of the information to whom the information related." That breach may be the loss or theft of a device containing customers' personal information, the hack of a database containing personal information, personal information is mistakenly provided to the wrong person, or many other scenarios of intentional or unintentional misuse. The fines are set at up $360,000 for individuals and $1.8 million for organizations per breach.

Across the world, the European Union General Data Protection Regulation (GDPR) goes into effect just a few months later. Fines are even steeper: the greater of €10 million or 2% of global annual turnover for noncompliance with technical measures and the greater of €20 million or 4% of global annual turnover for noncompliance with key GDPR provisions.


Cybersecurity Must Be a Top Priority

Wherever your company operates, it's clear that cybersecurity must be a top priority. Well-organized, well-funded attackers can evade traditional perimeter defences, making a security breach, not a matter of "if" but "when." It's critical for IT teams to be able to quickly detect and respond to a breach, understand how the breach occurred, and proactively report it internally and as required by law.

If that is not difficult enough, organizations also have to deal with malicious insider threats, which are by far the hardest to detect. A recent example of this is the ex-Google employee who is accused of downloading highly sensitive internal information about Google's self-driving car program before starting his own company that was then acquired by Uber.

Armed with Insights

Today's cyber threats are complex, unfolding in multiple stages over days, weeks or months. It can be difficult for security analysts to see the bigger picture of what's happening because they're mired in time-consuming, manual threat identification and correlation. In fact, the median time from compromise to discovery is 99 days, according to Mandiant, and APAC has one of the highest dwell times in the world—172 days.

Understanding what is really going on within a large complex network with a myriad of different user access privileges and an ever-increasing number of headless devices is a very good problem to which machine learning can be applied.

And we are doing exactly that with Aruba IntroSpect via UEBA (User Entity and Behavioral Analytics). The most significant benefit of using machine learning is that the discovery process is largely automated. The system learns what users and entities are doing by examining multiple data sources such as packet processors, SIEM, firewall logs, Active Directory, AMON feeds and others to "figure out" what is normal behaviour and what may be anomalous. UEBA needs some time to gather enough data to build a comprehensive baseline for users and entities. This baseline forms the basis of a risk profile for each user and entity being monitored. If the user or entity behaviour suddenly changes, the risk score will be updated based on the nature of these changes. The administrator is alerted and can use the built-in forensic tools to investigate further.

UEBA is all about reducing the time between a breach occurring and the organization becoming aware. By itself, UEBA cannot prevent a breach from happening. In many instances, despite best intentions and the cybersecurity training employees receive, some people will still click on suspicious attachments, access information they should not, or willingly or unwillingly send sensitive information to suspicious external destinations. By baselining normal user and entity behaviour, UEBA is ideally suited to quickly find and notify the cybersecurity team when this inevitably happens.

Customers that have deployed IntroSpect are receiving this kind of visibility and rapid notification of suspicious behaviours, allowing them to quickly investigate and shut down the breach as well as fully investigate how it happened.

Learn more about IntroSpect UEBA.

Download the CISO's Guide to Machine Learning and User Entity Behavioral Analytics e-book.