As the latest buzzword in IT, analytics are increasingly spanning various components of IT systems. With use cases to gather analytics around data, networks and user behaviors, there are endless possibilities for utilizing this information.
But, when looking to drill down this data to inform security decisions, is a massive amount of information, which could include fall positives, really that useful?
To avoid falling into an analytics trap, security professionals provide suggestions for how to best configure security analytics so they drive meaningful and actionable insights for your organization.
Shape your environment to detect 'true positives' more often
Jeff Schilling, CSO, Armor: I am a proponent of ‘little data analytics.’ What I mean by this is shaping your environment to only look at the events that have the highest probability of being true positives. Block known threats before it even touches your security stack. You can accomplish this through IP reputation management or DNS monitoring/blocking. This will stop 80% of the non-targeted attacks against your enterprise.
Tune your Security Incident Event Management (SIEM) capability
Schilling added that many security teams get bogged down in slugging through thousands of events that are deemed critical by your SIEM, but turn out to be false positives or just notifications that your security controls are works (e.g. a firewall rule fires). This might take professional services from your SIEM vendor to assist, but is well-worth the investment in FTE’s you save for your security team digging through non-critical alerts.
Focus your security on the most important part of your business. It is hard to convince business owners that not everything they do is worth protecting and they struggle in telling you what is really critical to their business unit.
Catch threats in the early stages
Andrew Wertkin, CTO, BlueCat: As security threats continue to evolve through multiple attack vectors, relying solely on preventive methods to mitigate known risks is not sufficient. Security analytics has become an essential tool to perform forensic analysis after a security breach occurs. However, if executed properly, security analytics can help organizations identify suspicious behavior, both internally and externally, and proactively block potential threats before they can manifest, as well as providing early warning against threats that continue to evolve over time.
More data isn’t better
Stan Black, CSO, Citrix: Before building lakes, clouds, and clusters of security data, focus on your company’s purpose, such as identifying fraud, insiders, malicious actors, errors, misconduct and so on. Once you have prioritized a desired set of outcomes, then focus on what you don’t need to analyze. Technology does not commit cybercrime, people do. With this in mind, analytics often starts with role mining, empirically quantifying what users can, could, or should never do establishes a user baseline. By defining “known good,” secure analytics refocus on the unknown and anomalies to uncover potential threats.
Decrease your influx of network security alerts
Ravi Devireddy, co-founder & CTO, E8 Security: Legacy security technologies that rely on one-size-fits-all thresholds/policies applied across the organization often result in too many alerts and false positives. Security analytics that do behavior modeling and baselining of what’s normal for each user, system, application and endpoint in the network brings the highest degree of accuracy to an organization’s threat prevention efforts. Detection of attacker activities, such as compromised credentials, command and control traffic, backdoors, and lateral movement inside the organization, are no longer lost in the noise.
Become a threat hunter
Devireddy adds, threat hunting is an emerging area in security operations, thanks to the use of security analytics. An important distinction from traditional security is that the goal of ‘threat hunting’ is not about detecting malware, but more about identifying an attacker’s presence, behaviors and movements, and containing that activity as quickly as possible. Security analytics enable threat hunting by providing visibility into behaviors, patterns, and anomalies across network, user, endpoint and application activities.
Leverage context to reduce incident response time
Security operations and incident response teams need context when investigating a security incident. Security analytics tools provide behavior intelligence context for security alerts and incident investigations. Ability to quickly and interactively analyze current and historical behaviors, patterns, anomalies across multiple data silos enables faster incident analysis, eliminating reliance on skilled resources and manual analysis (often using tedious search engines or clunky SIEMs).
First, narrow the attack scope, then complement with analytics
Lucas Moody, VP & CISO, Palo Alto Networks: Security analytics offers the promise of getting better and more effective at identifying and enabling quick response to threats, thwarting attackers and, ideally, getting the attackers to move on. While a noble outcome, the challenge to this strategy is scale. Security analytics as an outcome should live behind the objective of narrowing the scope of attack, with a strong strategic foundation in threat prevention. Organizations that take security seriously need to instigate a sea of change in how we currently leverage technology, and implement stronger preventative controls. This in turn will enable analytics to address downstream risk in a manageable and scalable way. Strong threat analysts are hard to find, and they need to be working on the “critical few” not the “noise”.
Beware of false positives
Ryan O’Leary, vice president, Threat Research Center, WhiteHat Security: Getting the right security metrics from a trusted source is one of the more difficult aspects of owning the security program at any company. Lots of companies say they offer security analytics but few offer meaningful proven security statistics. This is especially true in the web application space. The main problem is that security tools more often than not produce an incredibly high number of false positives. Before you purchase any analytics, make sure the company does vulnerability verification before statistics are done. Also, inquire about false positive rates so you can determine how accurate a company’s analytics will be.
Use analytics to support spending
O’Leary adds: One of the toughest parts about security is justifying spending on something that will produce no revenue whatsoever, and analytics can help with this. To justify spending, you need to know risk and financial implications. By using analytics, you can show the likelihood of an attack, and the costs to implement security and fix the issue.