MAKING SECURITY ANALYTICS WORK FOR YOUR ORGANIZATION
In recent years, there have been significant changes in hackers’ motivations and the ways they approach their objective(s). Whereas malware used to be the common focus, we now see hackers utilizing legitimate tools in combination with stolen credentials. As a result, today, many threats cannot be detected without deep insight! Analyzing the tremendous volume of data that is constantly being generated is however a mammoth challenge so advanced data analytics is imperative to cutting through the bulk of the data to identify patterns and uncover threats.
Is Data Analytics Just a Rebranding of SIEM?
There are big differences as well as some similarities. Generally speaking, a Security Incident Event Management (SIEM) solution is exactly what the name says- it absorbs machine data generated from your security devices, infrastructure, servers and clients and based on these, runs a set of rules or instructions on what is recognized as a security incident. This could be anything an alert saying that a client was not able to update its Anti-Virus engine to a more serious alert indicating attack.
A general issue though is that most SIEM solutions base many of their alert capabilities on the events received from the platforms deployed, and if the configuration is not done properly, you may miss out on very important events.
Data analytics is very different in the sense that these solutions are deployed to alert based on the behavior observed, and potentially even changes in this behavior. This can be both on the actual network traffic, but also in the events received from the SIEM solution. There is no doubt that as Incident Management evolves, technologies such as data analytics will play a key role.
In fact, a lot is happening in the Incident Management area and a new term called SOAPA is starting to pop up. This stands for Security Operations Analytics Platform Architecture. In this architecture, SIEM is one element, but the data-analytics you apply on events is also a key element.
Selecting the Right Security Analytics Platform
First, you need to consider your platform and architecture in your network. Most data analytics platforms are based on receiving raw packet-captures from within the infrastructure and then applying some form of algorithm or even artificial intelligence to identify threats. This means the placement of the devices becomes extremely important.
Other solutions base the learning on more flow information, which can be created in multiple devices in the network such as firewalls, routers and even user switches and wireless access points. These solutions may not have the same deep view, but compensate by covering the infrastructure in a much more complete way.
Security analytics should be treated as three integrated sections- the capture of critical information from the large number of events generated by security devices such as firewalls, IPS etc; feeding of this information to security controls; and finally learning from shortcomings to mitigate future threats. A comprehensive security analytics solution must therefore incorporate each of these segments to be of value to the organization.
Sources of Threat Information
With the correct systems in place, you must then decide what threat feeds to subscribe to and this is a tricky decision as the view of a threat is very dependent on the eye of the beholder. If you buy a US produced threat feed, it will look very different from a European one.
And then there is of course the question of how you potentially can absorb multiple sources into one environment and create your own aggregate of threat information. In Help AG’s Managed Security Services environment, we do not only rely on one feed, but actually integrate multiple open-source, commercial as well as self-generated sources of threat information. We load all of this into our Threat Information Platform (TIP) and then generate blocklists for our environments as well as security use-cases for our event management platforms. We especially utilize a solution from a company called ThreatQuotient which allows us to absorb both structured and unstructured data sources. As an example, an IP address or domain information, or even a registry entry from an event in our SIEM can easily be published as a threat indicator from a single console.
Dealing with threat information in a really important element and automating the distribution of the same is becoming a really important parameter, especially when dealing with multiple feeds and sources.
There is no doubt today that organizations are becoming more and more risk averse and more risk aware! With this transition, risk mitigation is becoming a real business parameter. Business leaders are always looking for the most efficient way of dealing with an issue, and Security Analytics can deliver a more efficient response to an cyber security challenges that organizations face today.
Blog by:
Nicolai Solling, CTO at Help AG