The nature, scale, and diversity of the cybersecurity threats that the modern organization faces means leveraging the power of automated security tools is a necessity.
Large enterprises can generate billions of distinct system logs and events each day. Manually poring through such information is impossible. Security software and automated tools make the process of sifting through such security data quick and efficient. Among the different categories of cybersecurity tools an organization could use to enforce their security policies, security analytics software is among the most critical.
But what is the definition of security analytics?
Security Analytics Definition
Security analytics is the systematic capture, filtering, aggregation, analysis, and monitoring of security data and threats. Security analytics tools, therefore, incorporate a diverse set of methodologies and data sources into their threat detection algorithms in order to better detect and defend against cyberattacks. Security Information and Event Management (SIEM) tools are some of the early providers of basic security analytics. Many are adapting broader security analytics capabilities to become “next-gen” SIEMs.
The sources of security information collected by security analytics tools include, among other things, network traffic, endpoint data, user behavior, business applications, cloud-based resources, user identity and access data, and third-party threat intelligence.
The Different Approaches Security Analytics Tools Use
Security analytics tools can use several methods to detect a threat to an organization’s systems and data. Most tools will employ a combination of algorithmic methods in order to ensure defense in depth and minimize the likelihood of anything falling through the cracks. Each method has strengths and weaknesses. Some are only effective when applied within a certain regime. The methods may also be sensitive to changes in the speed, scale, and sophistication of the data.
Nevertheless, these various approaches to security analytics aren’t all equally effective. They have divergent degrees of scope and accuracy, including in the number of false negative and false positive alerts they generate. Enterprises concerned with their security, risk, and governance should carefully evaluate their security analytics options to determine the right solution. We’ll look at the major algorithmic techniques that security analytics tools use and then focus on the technique that many security professionals consider the most effective for real-time threat detection—event correlation and pattern matching.
Rule matching is the most basic approach to security analytics. Every security analytical tool must have some form of rule matching at its core. Rule matching, as the name suggests, is about defining and enforcing certain clear rules of security success and failure. For instance, three failed logins would be flagged as a notable incident. The use of administrator accounts outside official business hours could also be recorded as an anomaly.
The foundation of an effective cybersecurity strategy rests on these basic rules. Nevertheless, rules are limited because it’s impossible for security administrators to fully envisage every scenario that could constitute an anomalous event. Rule matching can therefore only address the basics of security analytics and must be supported by the more advanced analytics algorithms we discuss below.
Basic Statistical Anomaly Detection
Basic statistics is an improvement of rule matching. It follows simple rules of averages, medians, variances, standard deviations, and thresholds. For example, if the occurrence of a certain type of activity exceeds the average by 10 percent or more, then an alert for a system anomaly would be sent out.
The basic statistics approach is most effective where the number of log and event entries generated daily aren’t that large. However, basic statistical algorithms are prone to generating a high number of false positives which can see the number of alerts quickly become overwhelming and thus unmanageable and useless.
Basic statistical algorithms are still woefully inadequate in identifying anomalies in the enormous, varied, and complex pool of security data generated by enterprise systems such as virus scanners, firewalls, intrusion prevention systems, and business applications. The data to be analyzed includes emails, packet streams, malicious executable files, unauthorized user activity, and various other types.
Computational statistics algorithms use a number of sophisticated mathematical models to pick up suspicious activity. These models include topological data analysis, graph-based learning, and probability density estimation.
Multi-stage cyberattacks use distributed and diverse tactics to evade detection and circumvent existing defenses in an attempt to establish themselves and exploit their target. Stand-alone enterprise security tools, such as antimalware, email security, spam filters, data loss prevention software, and firewalls, are designed to detect a specific element of this kind of broad-based attack. This places the burden on security administrators to manually piece together the wider picture.
To get around such blind spots of multi-stage attacks and reduce the need for manual intervention, security analytics tools will often apply some degree of machine learning and behavioral analysis. Machine learning is far more technologically advanced than the previous approaches we’ve discussed. It can help threat detection capabilities evolve with the changing technology environment, and in many cases it can “learn” what constitutes an anomaly or a suspicious activity to reduce false positives and false negatives. This can greatly increase the speed and accuracy of the threat hunting, investigation, and remediation processes. It can also enable greater capabilities in predictive analytics.
Focus on Event Correlation
In many ways, machine learning algorithms for security analytics can provide threat insights that no other security analytics tool can. It is a relatively new technology facing early adoption, and its full capabilities are still being explored, so it is often recommended as a valuable, insightful, supplementary security tool. Event correlation and pattern matching, on the other hand, is an older but more established and proven analytics technique.
Definition of Event Correlation
Correlation is a time-tested technique for system security and performance monitoring and is considered the most effective tool for real-time detection of established threats and attack patterns. It involves taking data from system logs and events then automatically analyzing it to identify any patterns and relationships between the events that could threaten enterprise systems and data.
Based on the results of the correlation, the security analytics tool would send out alerts to security administrators or trigger certain automated remedial actions as defined by users. It offers analysis into a wide variety of event types and security tools, making it one of the most effective methods for quickly detecting the underlying threats across your network and defensive layers and resolving them before they can cause significant damage to the business.
Example of Correlation
Think about an application or OS user account that has lay dormant for months or years, though it has never been closed or deleted. If there’s suddenly multiple login attempts involving the account, as well as a stream of suspicious commands running through the organization’s network, systems, and data, event correlation can associate these two different events and send out an alert that a cyberattack may be in progress.
The login attempts would be especially noteworthy if, among the many failed attempts involving the dormant account, one is successful. What if just before the login attempts started, a port scan had taken place? What if the IP address of the port scanning tool and the origin of the login attempts is identical? The correlation algorithm will continue to incorporate more events, build a clearer picture of the unfolding attack and heighten the alert level as more concerning patterns are detected.
Remember that this correlation is taking place in the context of millions or billions of events per day. This sea of security data ranges from informational to critical. Manually comparing these events would therefore be virtually impossible. Security analytics tools speed up the process of piecing together these seemingly disparate events and identifying the root cause.
Benefits of Correlation
Correlation delivers a more comprehensive, contextual, and logical analysis of events. It’s about converting raw disparate system logs into actionable alarms, notifications, and reports. This helps security analysts make more informed decisions on appropriate investigative and remedial action. Some of the specific advantages of security analytics correlation are as follows.
Security breaches, system failures, and operational difficulties caused by a cyberattack can have a profoundly negative impact on the business. Active correlation helps security administrators identify security threats quickly and keep the company’s technology assets safe.
Networks carry diverse traffic. The scale and complexity of data packets can make it hard to pick up an evolving multi-faceted attack. Security analytics correlation ensures networks are monitored constantly and automatically, so that any failures that could affect the delivery of enterprise goods or services can quickly be identified and rectified.
Reduction in Security Operations Costs
Correlation tools automate the analysis of large volumes of log and event data. By doing so, they minimize the false positives security administrators would otherwise have to sift through in order to unearth legitimate threats. Some correlation based SIEM tools also come with triage abilities and can assign risk rankings to each threat to help prioritize analyst attention on the most risky activities and alerts.
This efficiency means a reduction in the employees needed to monitor and act on security threats, which is particularly valuable due to the current lack of skilled security professionals in the market. Administrators also spend less time on investigation and therefore have more time to contemplate the ways they can improve the existing security architecture.
Regular Compliance Reports
Multinational, federal, state, and local regulators may issue system and data security laws that determine how organizations should handle sensitive data and protect their IT systems. Specific rules can be developed and fed into most correlation analytics engines, to help ensure continuous compliance with relevant regulations and to facilitate with audits.
Compliance reports can thereafter be generated on demand to show the security threats identified over a given timeframe and the steps taken to resolve them.
Your choice of a security analytics tool for your business can make the difference between ensuring the security of your enterprise systems and getting overwhelmed by the volume of security information. Choose security analytics software that employs multiple strategies to detect threats and trigger remedial response.
Most important though, make sure the security analytics software you choose uses a correlation engine that can compare multiple events and identify a common cause. As the scale and complexity of enterprise technology infrastructure becomes ever more complex, the need for scalable, next-gen security analytics correlation intelligence will only continue to grow in significance.