With or without a security operations center, and whether your network is on premises, in the cloud, or a hybrid, you need to determine which events and indicators correlate with cyber attacks. Organizations these days face a wider range and greater frequency of cyber threats than ever before. These threats can be from APTs (advanced persistent threats), cyberwarfare, promiscuous attacks through bots and botnets, script kiddies, malware-as-a-service via the Dark Web, or even internal attacks from entities within your organization. Everything from distributed denial of service attacks (DDoS) to cryptojacking, from man-in-the-middle attacks to spear phishing, from ransomware to data breaches hit businesses of all sizes and in all industries constantly and every single day. It’s perfectly normal to find it all to be overwhelming!
But implementing the right tools and practices can help you make sense of all of the cacophony. That’s where cybersecurity analytics can be useful. Several years ago, security analytics became something of a buzzword, but it’s as relevant now as ever.
Cybersecurity data analytics explained
So what is it exactly? It’s actually quite simple.
Security analytics isn’t one particular type of tool or system. It is a way of thinking about cybersecurity proactively. It involves analyzing your network’s data from a multitude of sources in order to produce and maintain security measures. It’s all about aggregating data from every possible source and finding the “forests” that all of those “trees” of logs and other recorded details are a part of. Of course, being able to identify the “forests” can make it easier to not only put out “forest fires” of cyber attacks, but also prevent “forest fires” in the future.
Security analytics sources and tools
Here are some of the different types of data sources which can be used in your cybersecurity analytics practices:
- Cloud resources
- User data acquired from endpoints
- Logs from network security appliances, such as firewalls, IPS, and IDS
- Network traffic and its patterns
- Identity and access management logs
- Threat intelligence
- Geolocation data
- Mobile devices and storage mediums connected via WiFi, Ethernet, and USB
- Antivirus applications
- Business specific applications
There are some types of tools which your network can deploy which pertain to cybersecurity analytics. They include:
- Code analysis applications to find vulnerabilities in software and scripting
- File analysis tools to explore files in ways which may go beyond malware detection
- Log analysis applications for firewalls, IDS, IPS, networked print devices, servers, and endpoints
- SOC (security operations center) specific applications to organize data in a way which is useful for their functions
- DLP (data loss prevention) tools
Security analytics use cases
Properly implemented cybersecurity analytics can not only improve your network’s security posture, but also help your organization with regulatory compliance needs. There are many industry-specific regulations which require log data collection and activity monitoring. HIPAA and PCI-DSS are just a couple of them.
It can even help show your organization’s stakeholders and management which security measures and policies are useful and worthy of investment.
Using an analytics approach and the right tools have the benefit of being able to look at cyber threat patterns over months or possibly even years, as long as your network data is properly stored and maintained. Often it helps to get a “big picture” view of what may be going on with your network.
Security analytics AI and machine learning
When AI is usefully deployed for cybersecurity analytics, it can be used to scan your entire IT environment to find patterns and identify anomalies. Well implemented AI can take a lot of the calculation and identification work off of the shoulders of your human security analysts so that they can direct their efforts to areas where human thinking is more effective. People’s brains can tire of repetitive and tedious work, whereas AI can deal with loads of tedious data without mental fatigue. All of the supposedly boring details won’t be missed by properly configured advanced computer systems!
Machine learning can be implemented by your AI and monitoring systems to learn from data and results which are accumulated over time. Machine learning can have both supervised and unsupervised applications according to your specific needs. Supervised machine learning can analyze structured data for clear algorithms and rules. Unsupervised machine learning can analyze unstructured data from sources such as SIEM and general scans.
Well deployed cybersecurity analytics systems and practices can actually augment and complement your SIEM. As Paul Reid wrote:
“Leveraging security analytics with SIEM as a data source provides the best of both worlds. The SIEM investment is protected and additional value is unlocked from the rich cyber log data stored there. Security analytics can now watch for those changes in behavior that may be indicative of an attack. These behavior changes create a set of cybersecurity leads that can be followed up on by your cyber hunters. The entities associated with the behavioral change can be examined in the SIEM to see what the underlying activities could have caused the attack.
Ultimately, security analytics uniquely augments other existing security tools‒not just your SIEM, but also data loss prevention, identity access and management and other solutions.”
The most obvious direct application of using cybersecurity data analytics to augment your SIEM that I can think of is to identify new data and event patterns to make better SIEM correlation rules. Cyber threats are constantly evolving and the threat landscape itself is constantly changing. You shouldn’t just stick with one set of SIEM correlation rules from one year to the next, because some of them might become irrelevant or outdated. Your network security would benefit from both tweaking the rules your SIEM already has, and creating new rules based on the data you acquire from your cybersecurity analytics which reflects how cyber attacks are changing.
When used properly, good security analytics can improve every facet of your network’s security and help you keep up with how cyber attacks are evolving.