When It Comes to Threat Detection and Incident Response, Context Matters
- 24 March, 2015 14:09
In an environment of unrelenting attacks, network packet capture and security analytics are essential for discovering the attack while it is in progress and to provide the intelligence to minimise the damage done as well as to prevent future attacks.
CSOs should now be using security analytics tools for threat detection and incident response. These security analytics tools offer the analyst unprecedented access to data they have always logged and kept, but rarely used.
This also allows security professionals to explore data sets previously deemed too large and complex for everyday use like full packet captures of all network data. Now we are seeing the emergence of tool sets that can not only deal with the incredible amount of information coming in daily, but can also be used to review older data.
The ability to look quickly into data from the past is gold for a security analyst, to see trends and spot previously missed threats means that these analysts are finally moving from a reactive footing to one of informed preparedness.
This new generation of security analytics tools will undoubtedly make analysts more efficient and accurate in their analysis, but it will also mean that the analyst is reaching conclusions faster, contributing to the operational outcomes of security rather than “after action reporting” on incidents they have detected. We are now starting to see tools that can assist an analyst in identifying and following a long running and blended threat, where the tactics change and the attacker uses a variety of methods over a long period of time.
However, most organisations don’t know why they need security analytics in the first place. A year or so ago, the big buzz-term was “big data” and consequently every vendor announced a solution in the information management space, which only confused the market as to what was important and what was just hype.
Security analytics tools don’t actually eliminate the need for a Security Incident and Event Management (SIEM) system. They still have their place in most organisations, because they do an incredible job in coordinating a massive range of disparate information and events into a single interface that can give a security team a picture of what they face right now. However, the major concern is that they achieve this at the expense of context and data fidelity. They simply cannot be used to fully understand everything that has happened during an incident or provide extent and impact, especially if the attacker changes tactics and moves laterally during the attack. The function of SIEM and Security Analytics will most likely merge in the future, but we are not there yet unfortunately.
Companies that are holding back on adopting Security Analytics either still don’t fully understand the problem that it can solve, or have already made a bet on technology adjacent to this space (for example SIEM) and are still trying to realise the return on the previous spend. No one wants to spend a considerable amount in a particular area and then find that they missed a large piece of the puzzle, and that they are still not completely covered.
In my view, the key things for organisations to consider when selecting and implementing Security Analytics solutions is that they need to decide if they are trying to understand their data statistically, looking for averages, trends and metrics to establish baselines, or do they want to work in real-time and understand what is happening and has happened during past events to better plan for the future?
Importantly, they really must be certain that their chosen Security Analytics system will scale, not just in terms of storage, but in how the search and query capability scales. If the solution loses performance as it grows, or as the depth of queries become more complex, it will be of no value for analytics, especially in real-time. Collecting, storing and processing enough data, but doing it quickly and efficiently enough in order to achieve the results required is essential.
When security professionals are deploying a Security Analytics solution, my number one piece of advice is to start small with modest requirements initially. Many data science projects fail because the breadth of requirements is so large that it is impossible to find an initial approach that can satisfy all of the requirements.
Ultimately the organisations that are moving beyond SIEM systems and are striving to understanding the extent and impact of attacks through Security Analytics, rather than just the mere presence of those threats are leading the way. The fact that they have switched their security strategy from reactive to one of informed preparedness will enable them to secure their networks and maintain their online presence.
About the author
Scott Crane is Director of Product Development (Security Analytics) for Arbor Networks, a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks. He was the CEO of Packetloop, a cloud-based Big Data Security Analytics and analysis platform that Arbor acquired in 2013. Scott is an information security advocate focused on the analytics space. He has extensive experience in perimeter security architecture and implementation, having spent the majority of his 20 year IT and security career designing and implementing banking perimeters in Australia and Asia.