In the days when the only logs to be checked were from the firewall, most organisations relied on their security analysts doing an eyeball search to spot any anomalies. While it is still necessary for analysts and incident responders to look at and understand that level of detail, the vast increase in data flows, log sources and attacks has made this process much more complicated.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
To make sense of this data, it needs to be parsed, categorised, correlated and presented in a way that allows the analyst to identify, or be alerted to, any potential incidents. The analyst then needs to drill down through the data, or call up corroborating data, to assess whether it is a real incident, a false alarm, a misconfiguration, or a user error.
Security analytics can help by providing visual dashboards, including device health monitoring, a holistic view of network activity, and an overview of the general security posture, both from a technical and management perspective.
Analytics can therefore allow you to evaluate the potential risk of a cyber attack, detect and manage an ongoing incident, determine the implications of a breach (loss of IP or financial loss, for example), and meet compliance requirements. This mostly applies to larger organisations that manage their own security, can capture the necessary data and hire the skilled staff required to configure, operate and maintain the analytics in a rapidly changing threat environment.
Therefore, before starting on the analytics journey, you must make sure you have, or can put in place, the necessary skilled staff required for custom configuration, rule generation, troubleshooting, professional services support and staff training to exploit the solution.
Analytics are available both within existing security tools and as standalone packages, but there is no single answer to every problem. More and more analytics, often employing machine learning, are being built into specialist tools such as malware detection, threat intelligence and sandbox solutions, as well as SIEMs (security information and event management systems). These are typically configurable by the user, at least to some extent, so most people running their own security will already have some analytics capability.
When it comes to security analytics, it is important to separate fact from fiction, particularly in light of the ever-increasing marketing hype on the subject. The first step should therefore be not to look to the market, but to think about:
- What you want to achieve with analytics?
- What data do you need to collect for analysis; do you already have access to it?
- What analytic capability do you need to meet your objective?
This is often best done by developing a number of use cases that describe what you want to achieve. This will lead to a clear strategy – essential for deploying an analytics solution.
In doing this, you will need to think about the need for machine learning, the granularity you require (for example, endpoint processes, DLLs, threads, objects, memory analysis), the data sources you need to interface to, any compliance requirements you may have, and the degree of scalability required.
One other thing to consider is that although big data and analytics are often mentioned in the same breath, if you are using analytics to look for anomalies, bigger data is not always better. One person’s anomaly is another person’s normality, so treat networks separately (internal and operational, for example), and use as few non-standard builds on hosts and servers as possible. This will minimise the normal variation in the network and will help the analytics to do their work.
By following these steps, you should be able to assess whether you might already have the tools available to complete your objectives, or whether you need something new.
It should also enable you to develop a strategy to build and deploy the analytics capability you actually need, rather than simply buying something based on what the hype around security analytics has led you to believe that you need.