Perspectives from Phil Cracknell: mobile security analytics
What kind of precautions should be in place when implementing automation?
“Many organisations are moving towards a more detailed analysis of the data, and the amount of data they have is phenomenal because they’re collecting more information about activity and events, both security and non-security. Artificial intelligence is starting to lend a hand in that space: technologies such as IBM’s Watson, for example, can at least make that first pass through the data, to thin out the content so that when it’s taken to the next level and escalated, there are less volumes for the humans to deal with.
“Many organisations can’t actually say they know what people are doing with personal data – they just know where it is, and the data mapping exercise is just a tick in the box. You must be able to monitor how the users are using personal data, and so we’re starting to now see organisations thinking: ‘Do I need to maybe use a SIEM? Use an off-site SOC? Do I need a third party to help me manage this data, whereas previously I’ve had a security team that would trawl through logs?’
“Now that information is so volumous, and as well as being able to send it to a remote management facility for Security-as-a-Service, we’ve got the issue of being able to draw conclusions from activity. So we’ve got the anomalous behaviour, we’ve got machine learning: we’ve almost got a template that we can drop into a new organisation to say: ‘These are all the bad things we’re typically going to see, and we expect you to be doing these good things.’ You don’t have to start at the bottom and learn everything from fresh. The dangers are false positives and misinterpreting a legitimate transaction, but these are the obstacles that you face when you’ve got that kind of data and volumes to deal with.
Which area should endpoint management be focused on?
“I think the key to making this work is interoperability. All organisations have got an estate of endpoints: laptops, desktops, etc. They’re managed and they typically – if it’s a laptop – will need some kind of remote access. Mobile devices, tablets, personal phones and so on are typically managed by a different product set. But you need to be able to interact because an attack might take place across two of these devices simultaneously. If they’ve both been stolen from a car, you need to be able to control the access and have visibility of activity across all the platforms, almost on a per-user basis rather than on a per-device basis.”