Working on the assumption that, certainly by 2020 as suggested by Gartner, enterprise IT systems will be compromised by advanced targeted threats, there is a clear need for security solutions to move more toward the perimeters, with a greater focus on context.
ITOA can be used to detect the presence of increasingly sophisticated threats such as signatureless APTs by recognizing anomalies in the behavior of users and devices, identifying deviations from normal behavior as being potentially malicious activity.
Once a baseline of user behavior has been established, ongoing access and activity can then be monitored and analyzed in real time. From the analysis, behavioral anomalies in areas such as frequency of access and the amount and type of information downloaded, can be identified as being indicative of malicious intent.
Identifying and isolating
Having identified anomalous behavior, it is then possible to isolate the affected endpoint. In the case of a user’s system, ITOA can monitor what it is running, along with any recent interactions the user and their system may have had with content, executables and enterprise systems. Rather than taking a snapshot of a particular point in time, this form of monitoring returns information more akin to a moving film, providing the security team with visibility of what occurred - in a useful context.
As and when a breach occurs, this data can be used to glean a clearer insight into other users who may have also been targeted, and which systems affected and, from there, take the appropriate remedial actions.
By using ITOA, businesses can be proactive in detecting abnormal activities across their IT infrastructure and all connected endpoints, allowing them to enforce security compliance standards at all times by using the constantly available real-time, accurate information.
Businesses, particularly those that find themselves subject to APT and as potential targets for motivated hackers, must take the precautions necessary to protect their technical estate. Using real-time ITOA as a security measure will play a crucial part in helping businesses add an additional layer of protection against threat to their infrastructure, endpoints and end-users.