A layered cybersecurity strategy means that if an attack gets past one solution, another will be able to pick up the slack as a failsafe. Defending against bad actors requires various layers of security controls and detection techniques to identify potential threats. To do this, SecOps teams need a variety of tools and techniques to process and correlate the enormous amount of historical and real-time security data that they ingest every day. They do this to get the insights required to keep their organization's assets secure from cyber threats.
Security analytics is playing a growing role in SOCs as a way of discovering unseen or hidden patterns through learnings from historical data. Analytics also brings to bear sophisticated, intelligence-driven tactics for real-time investigation of both known and unknown vulnerabilities, immediate access, evidence visualization, and additional advanced tools and practices that reduce the potential risk of cybersecurity threats. We believe what’s required are layers of analytics, including a next-generation SIEM (like ArcSight ESM), user and entity behavior analytics (ArcSight Intelligence), and an open architecture to integrate with the broader set of analytics tools in use by SOCs.
As reported in the 2020 State of Security Operations report we sponsored, over 93% of the organizations surveyed use Machine Learning and AI-based SecOps products. These products are mainly being used to improve detection capabilities. Detecting advanced threats is the #1 reason. Detecting data loss/exfiltration attempts, accelerating security investigations, and detecting insider threats are also common reasons.
The majority of SOCs recognize there is room for improvement with their security analytics initiatives. According to the SANS Institute, almost 56% are "not satisfied" with the maturity of their analytics software. SOCs are tuning what they have and exploring options in an attempt to improve their capabilities. The days of a single vendor meeting all of their needs are gone. A common security analytics and operations platform architecture (SOAPA) is needed to integrate data from multiple security tools. Whatever the SOC is already in using, we have an opportunity to plug in our solutions too.
ArcSight’s pluggable analytics can leverage an organization’s common data bus and Big Data storage implementations as a means of collecting events, analyzing data, and outputting focused insights. These insights can then be easily shared with other analytics and monitoring technologies within a SecOps value chain.
While ArcSight can act as a holistic, turnkey, Big Data and advanced analytics platform, the analytics component can be separated from its big-data storage to be used independently with other big-data platforms such as Splunk, Hadoop, and Elastic. This flexible and pluggable analytics solution enables SecOps team to customize a platform that addresses their unique needs and requirements.
To learn more check out this new White Paper, 360 Analytics for a Resilient SOC: Layered Analytics for Faster Detection and Increased Productivity.
Have technical questions about Security Operations? Visit the ArcSight User Discussion Forum. Keep up with the latest Tips & Info about Security Operations. Do you have an Idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.