[BreachExchange] What Elements Are Needed for Security Analytics Success?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Aug 23 19:58:54 EDT 2016
http://infosecisland.com/blogview/24812-What-Elements-
are-Needed-for-Security-Analytics-Success.html
Over the course of the last 18 months, it has become increasingly evident
that organizations need to do more to stop the growing epidemic of security
failures and data breaches that are threatening the very ability to conduct
business. Customers’ sensitive financial and personal information needs to
be protected.
In response, many companies now realize they need to shore up their efforts
internally to deal with the attackers that dwell on the inside for months
looking for their target. In the process, the sheer number and the targeted
specificity of attacks have made it clear that it is impossible for any
single company’s IT department to weed through the potential problems and
possible attack notifications to find the real threats. Even as they deploy
next generation firewalls, endpoint detection and response products that
move away from signatures to indicators of compromise (IOC) that promise to
close the gap on detection and dwell time exposure, alert fatigue continues
to plague many IT security teams.
In order to step up their game, businesses and organizations have been
implementing security analytics technologies. The promise of security
analytics is that it will do what humans in an IT department cannot –
review endless amounts of data and flag what the real threats are you
should pay attention to.
Not all security analytics solutions are created equal, however. There are
five key characteristics critically important to ensuring that your
security analytics are effective and capable of stopping today’s advanced
threats.
Extreme Flexibility to Task and Data
Security analytics must be ready and willing to take on any problem
presented to it. Strong and useful security analytics has to do more than
security software that detects simple intrusions. It must be able to
consider everything that potentially could be a problem. To do this it has
to be applicable for any source of data – be that a network, device,
server, user log, etc. Think a broad amount of use cases.
However, just being able to interface with these information silos is not
enough. Security analytics needs to analyze several different features of
the data – from metrics like response times or counts, to information
coming from users, hosts and agents. It also needs to be smart enough to
detect patterns like ‘beaconing’ and high information content in
communication packets – and then be able to draw conclusions about them and
form insights into what is actually happening and where.
In other words, to be successful, security analytics needs to be able to
use every data source, data feature and potential problem laid out in front
of it to detect unusual behaviors related to advanced attacks; then analyze
them and present results to the user.
Speedy, Accurate, Real-Time Analysis
With true security analytics implemented, the analysis should be fast –
giving results in near real-time, making the user feel like it is almost
automatic. Speed in processing of data is important when it comes to
security issues – as any delays in identifying problems can be quite costly
for companies, especially when an active data breach is occurring.
At the same time, while speed in processing is very important – it is
second to the most important element of security analytics processing:
security analytics needs to understand what it’s looking at and draw
conclusions about what is important to the end user.
With an ever-increasing amount of cyberattacks to worry about, it is easy
to see how IT managers are overburdened with alerts that flag a potential
breach or other issue that needs attention. Many of these issues are not
breaches or problems that even warrant immediate (if any) attention; but
with most security software that looks at signatures or ill-defined IOCs,
everything is flagged so that nothing is missed. This clearly works in the
advantage of the attacker that hides in the noise of the environment it is
operating within. With alert fatigue being a dominant complaint, it becomes
harder and harder for analysts to see through the waves of alerts many
advanced detection products emit.
Learns from the Past, Applies to the Future
Here is where machine-learning technology often enters the discussion.
There are limits to what typical security tools and a single human end user
can accomplish. There are only so many hours in the day to review alerts or
notifications – and once you start self-selecting which ones seem
important, you are already increasing the possibility that you miss a
critical notification. Furthermore, while many companies deploy rule sets
within their SIEM to aid in the filtering of highly relevant events, these
are limited to a static understanding of “what is problematic” and not
nearly as dynamic as a mechanism that could look to identify anomalies
based on detected patterns from baselines.
Machine learning helps security analytics take the analysis of potential
issues a step beyond seeing something and saying something. With machine
learning technology in place, security analytics can now see something,
correlate its significance and then ensure that it is only identifying the
most important items based on probability scoring on the data.
Machine learning is a critical part of most security analytics – it can
recognize and understand patterns, periodicity of data and anomalies within
the data, learning from each instance what is a normal behavior and where
the outliers are. This helps make it possible for the IT manager to know to
act on every alert received based on the analytical scoring relevance –
instead of hoping he or she selected the correct ones.
Ability to Scale
Security analytics should have an ability to grow and scale with
organizational growth. As businesses become more established and achieve
greater levels of success, the amount of data they generate, the amount of
customers they have and the size of their operations all grow. This means
that the probability of being “targeted” by cybercriminals or hackers grows
as well. However, it is not always the biggest customers that are hit first
or most often, it is the ones that are the least prepared to prevent and
detect the attackers the best.
Security analytics needs to be able to handle all of these instances and
scale as required. An increasing amount of data should not faze strong
security analytics solutions. On the contrary, more data should add context
to an attack and lead to proper identification of an attacker techniques.
Ease of Deployment and Understanding Results
This last item could easily be separated into two, but they are two sides
of the same coin. There are an increasing number of security
analytics-based products on the market, with many new entrants coming from
adjacent parts of the security space that incorporate analytics (many times
because they generate too much data to be useful). Ease of deployment and
understanding results comes down to achieving value on the analytics
performed.
It is increasingly important to be able to deploy ready-built and defined
“recipes” that are relevant to detect intrusions as part of security
analytics. This can be a bit of an iterative cycle to “tune” to the kinds
of customer data present, but a successful solution will be the one that is
the most flexible and aids in the tuning process.
To utilize security analytics, the results need to convey things like
attack progression and classification of threats that fit in with the
vernacular of the users. This aspect is often lost or left for the customer
to consume and display into his/her own dashboards. The assumption made by
many vendors is that there is an army of data scientists on staff at each
customer that can utilize the results to “tell the story” to the security
analyst. This is simply not the case. Therefore, you should look to shorten
the time to value and deploy smart, highly tunable security analytics that
speak the language of your security team.
Conclusion
The importance of security analytics cannot be overstated, especially as
data breaches, unfortunately, continue to dominate the headlines each day
and attackers come up with new, targeted means to circumvent prevention
technologies. This is why, to be successful, you first have to understand
the key elements of security analytics – to make sure what you implement
will check off all of the boxes that should be checked off, and you’re not
left wondering why your analytics solution isn’t finding everything it
should. By implementing a security analytics solution that closely aligns
with the five elements above you will be in a better position to short
circuit the next attack on your business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160823/78b76a18/attachment.html>
More information about the BreachExchange
mailing list