To solve this problem, many organizations have turned to
Security Information and Event Management (SIEM) software
products and services. SIEMs have succeeded in helping organizations aggregate disparate sources of data from their IT estates.
However, they have failed to deliver on the promise of keeping
organizations safe. Only looking for patterns, with rules and signatures, of nefarious activity derived from previously seen attacks
is not sufficient to detect well-crafted targeted attacks that have
not been seen before. While relying on rules and signatures is
a fine approach for identifying known threats, it is not a very
sound or reliable approach to finding new or unknown threats.
Many organizations are now starting with an assumption
that at some point in time they will be breached. They focus on
their ability to detect threats effectively and efficiently, respond
to threats inside their network. With the limitations of rules and
signatures based approaches, it is becoming more widely accepted
that Security Analytics need to start hunting for threats—not
just react to them.
Security Analytics describes a wide range of capabilities, and
the truth is that the industry is still determining how to define it
precisely. This is apparent from the continuing reclassifications of
threats and capabilities from the various analysts firms that observe
the cyber security industry. There’s no real surprise in this lack of
clarity because the market is still rapidly evolving—not to mention
that analytics might not be the compliance professional’s strong
suit. But there are some key characteristics that can be used as a
check list for evaluating if a given solution can truly be described
as Security Analytics and will deliver the desired benefits.
What solution should I look for?
Detection techniques should not rely on simply looking for patterns
of nefarious activity derived from previously seen attacks. They must
also look for the “potentially bad” not just the “known bad.” This
involves running complex algorithms across potentially very large
volumes of data. The algorithms should be focused on the general
case of the attack technique, not the specifics of a known attack.
They must also look across a time range—not a single point in time.
With the ongoing threat of ransomware and exfiltration of data,
companies must have visibility into ongoing attacks as soon as
possible—this is why detection in near real-time is desirable. It
is important to note that this approach can increase the cost of
monitoring and the number of alerts analysts must triage. How-
ever, it is equally important to know, if properly implemented,
analytics can limit the impact of a breach and hasten the time
to remediate. Processing data more quickly than is typically ac-
complished in batch-based approaches helps ensure attacks are
detected as early as possible. On the other hand, using a batch-
based process is valuable too as it offers the ability to uncover
patterns over time that may not be as easily found by looking at
reduced slices of data. Organizations should look to combine batch
and near real-time approaches to enhance detection capabilities.
For example, let’s consider case where Security Analytics can
address unwanted website referrals by compromised sites—a
rather common concern. When users browse a compromised
website, the website will often redirect users to other pages or
websites—automatically or based on links clicked by the user.
The way users move (or are automatically moved) from one site/
page to another is called website referrals.
Website referrals are often used to breach defenses, since attackers can use this to redirect users to sites under their control.
The objective of the attacker is typically to either install malicious
software onto a user’s machine or to prompt the user to enter sensitive information that the attacker can harvest. Machine Learning
algorithms can track website referrals to gain an understanding
of what normal referrals look like. When referral patterns deviate from the expected norms this activity can be identified and
investigated. In this example, Machine Learning is required to
keep track of the dynamic nature of valid website referrals and
to quantify the risk of any given referral.
The use of Security Analytics to look for unknown attacks
adds an effective layer to the overall approach to detection and
prevention. However, don’t forget that the alerts that are generated
are not always an indication of malicious activities and require
further investigation. Security Analytics solutions that effectively
look for unknown or difficult to find attacks require a human (at
least for now) in the loop to make an assessment of the identified
activities and related alerts. These Security Analytics “threat hunters” need the internal and external context that is obtained from
a wide range of data sources to be most effective. For example,
some of the sources to include are threat intelligence, network
traffic, end-point activity, DNS data, AD logs and firewall logs.
The data needs to be easily and quickly accessible so that the
analytical thread can be followed to conclusion.
I’m ready for the hunt, how do I get started?
While Security Analytics has an important role in defending against
the unknown threats to critical assets, a comprehensive business
defense must be built on a solid foundation. An organization that
jumps to defending itself from unknown threats but overlooks
security fundamentals leaves itself vulnerable to known threats.
The choice of when to implement a Security Analytics solution is driven by analysis of the risks to an organization and the
maturity of the security capabilities currently in place. If the
risks are high but the security fundamentals (log management,
implementation and testing of an Incident Response plan and
monitoring for known threats) are not yet in place, the first
step is to address the fundamentals.
If the foundation is effectively and efficiently operating and an
organization’s risk assessment indicates the need to mitigate the
risk from the most sophisticated threats, then Security Analytics
could be where the next investment is needed.
A program to implement a Security Analytics solution should
be driven by an understanding of risk. One of the dangers in
A program to implement a
Security Analytics solution should be
driven by an understanding of risk.