Security analytics is a proactive approach to cybersecurity that uses data collection, aggregation and analysis capabilities to perform vital security functions — including detecting, analyzing and mitigating cyberthreats. Security analytics tools such as threat detection and security monitoring are deployed to identify and investigate security incidents or potential threats such as external malware, targeted attacks and malicious insiders.
With the ability to detect these threats at early stages, security professionals have the opportunity to stop them before they infiltrate network infrastructure, compromise valuable data and assets or otherwise cause harm to the organization.
This article explores the features and benefits of a security analytics platform, the most significant security threats to your organization, various security approaches, and how security analytics can help you proactively prevent attacks and keep your environment safe.
Security platform features and benefits
Security analytics is the application of data analytics to the cybersecurity realm of your organization.
A security analytics (SA) platform, then, is a combination of tools that provide proactive network security functions including detecting, monitoring and analyzing various security events, attacks and threat patterns — all working together within a single application and using the same underlying data structures. Security analytics platforms are also scalable, with the ability to accommodate increasingly larger networks and numbers of users as the business grows.
Security analytics solutions aggregate data from numerous sources that include:
- Endpoint and user behavior data
- Business applications
- Operating system event logs
- Virus scanners
- External threat intelligence
- Contextual data
Combining and correlating this data gives organizations one primary data set to work with, allowing security professionals to apply appropriate algorithms and create rapid searches to identify early indicators of an attack. Those IoAs can come from all kinds of sources, and security platforms provide useful features for gathering and cataloging relevant network data.
Types of security analytics tools
While feature sets vary, many security analytics platforms offer the following capabilities:
- User and entity behavior analytics (UEBA)
- Automated or on-demand network traffic analysis
- Threat intelligence
- Application access and analytics
- DNS analysis
- Email analysis
- Identity and social persona
- File access
- Geolocation, IP context
These capabilities come from the variety of tools that comprise the larger security analytics platform. Some standard security analytics tools include:
- Behavioral analytics: Behavioral analytics examines the patterns and behavioral trends of users, applications and devices to identify abnormal behavior or otherwise detect anomalies that could indicate a security breach or attack.
- External threat intelligence: An external security services firm may offer threat intelligence as part of its portfolio. While not security analytics per se, TI platforms supplement the analytical process.
- Forensics: Forensic tools are used to investigate past or ongoing attacks, determine how attackers infiltrated and compromised systems, and identify cyberthreats and security vulnerabilities that could leave an organization susceptible to a future attack.
- Network analysis and visibility (NAV): NAV is a collection of tools that analyze end-user and application traffic as it flows across the network. NAV may also be referred to as network security monitoring (NSM).
- Security information and event management (SIEM): Security information and event management combines a series of tools to provide real-time analysis of security alerts generated by network devices and applications.
- Security orchestration, automation and response (SOAR): Security orchestration, automation and response (SOAR) is a hub that ties together data gathering capabilities, analysis and threat response.
A security analytics platform may be comprised of any number of these tools, and can often be enhanced with emergent technologies, such as AI and ML.
How unified analytics empowers security tools
One approach that’s seeing more popularity among cybersecurity professionals is the concept of unified security analytics.
Unified security analytics is an approach that incorporates machine learning, anomaly detection and predictive risk-scoring along with data science, to identify behavioral aberrations and suspicious activities that might indicate the presence of security threats.
Unified security analytics will generate a consolidated, dynamic risk score for every incident or detected activity. Models are pre-programmed to predict and detect threats — this pre-programming may be informed by:
- Use case
- Industry vertical
- Threat framework
- Compliance regulation requirements
Because these contextual alerts prioritize based on anticipated risk and detect threats as they occur, unified security analytics can help mitigate some of the most serious security threats before cyber attackers can inflict damage.
Common security threats today
Numerous security threats can put an organization’s data at risk of compromise or attack. While by no means exhaustive, here are a few of the most significant threats most organizations are likely to encounter.
Data commonly leaves organizations when attackers trick employees into giving away login credentials or installing malware that records keystrokes. As phishing attacks and social engineering ploys continuously appear more authentic, organizations will need to invest further in security defenses and employee training to prevent a momentary lapse of judgment from bringing down a network.
Often some of the biggest cyberthreats are insiders who already have network access and intimate knowledge of intellectual property, blueprints, valuable data and other business assets. Organizations need to pay special attention to anyone with access to their corporate data, including employees, partners, and third-party vendors, who have the potential to misuse privileged access and disrupt operations.
APTs and advanced malware
Malware authors are constantly evolving their techniques, which now include new forms of ransomware, Advanced Persistent Threats (APTs), fileless malware attacks and “stalkerware.” To protect their networks, organizations will need to invest in new ways of proactively anticipating malware behaviors, isolating attacks and detecting evasive threats that obfuscate their presence.
Distributed Denial of Service Attacks (DDos)
DDoS attacks, which bombard a victim’s computer or network with a surge of bogus traffic, can prevent organizations from accessing their data, slow their networks, or shut down their web resources altogether. To avoid incurring significant damage to the business, organizations need to invest in advanced network traffic analysis while also creating strategies to optimize defenses and continue operations should they fall victim to an attack.
Programs that aren’t regularly updated create fertile ground for cyberattackers aiming to exploit unpatched, or unknown, vulnerabilities. However, these threats are also some of the easiest to prevent — if they are detected and repaired early on.
Compromised and weak credentials
One of the top attack vectors continues to be compromised credentials, especially as users recycle the same passwords for multiple accounts. Defenses such as multi-factor authentication, password managers, and comprehensive user training on identity best practices can help minimize entry via this attack vector.
Connected Internet of Things (IoT) devices such as routers, webcams, wearables, medical devices, manufacturing equipment and automobiles not only greatly expand the attack surface, they often lack adequate security measures, opening the door for destructive cyber attacks. Once taken over by hackers, IoT devices can wreak havoc on systems by overloading networks or locking down critical infrastructure. Increasingly, organizations relying on connected technologies will need to invest in tools that monitor for vulnerabilities in infrastructure that leave them susceptible to a potential attack.
With all of these threats, it’s important that organizations stay on the offensive, just as much as they’re on defense. Let’s dig into some of the ways teams can take on proactive security methods.
Proactive security approaches
A proactive cybersecurity approach is one that preemptively identifies and addresses security threats and vulnerabilities before an attack occurs. This approach can include established frameworks, such as the cyber kill chain or the MITRE ATT&CK Framework, that help security professionals get ahead of threats by anticipating their behaviors in a wide variety of contexts.
Cyber kill chains
The cyber kill chain is a series of ordered steps that outline the various stages of a cyberattack as they progress from reconnaissance to data exfiltration, which helps security analysts and professionals understand attacker behaviors and threat patterns.
First conceived as a military defense mechanism by weapons manufacturer Lockheed Martin, the cyber kill chain has evolved into a means of anticipating and identifying a wide range of security threats such as malware, social engineering, APTs, ransomware and insider attacks.
The cyber kill chain incorporates eight core stages, a specific chronology of activities in a cyberattack:
- Privilege escalation
- Lateral movement
- Obfuscation/ Anti-forensics
- Denial of service
The MITRE ATT&CK framework is a globally accessible knowledge base that provides a comprehensive representation of attack behaviors based on real-world observations. The MITRE ATT&CK Framework was created in 2013 by the MITRE Corporation, a not-for-profit organization that works with government agencies, industry and academic institutions.
ATT&CK, which stands for Adversarial Tactics, Techniques and Common Knowledge, documents common tactics, techniques and procedures (TTPs) that cyber attackers employ when attacking networks, but without indicating a specific attack pattern or order of operation. The framework encapsulates the following 14 tactics:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
These frameworks can be used to take on proactive security efforts such as threat hunting. To actively get ahead of hackers, security teams need to proactively search for potential breach indicators and other threats lurking in IT infrastructure.
While a proactive approach is increasingly important in today’s threat landscape, a primary goal for any security team should be to maximize detection and response efforts. As soon as a threat is taking action against the organization, security teams need to be able to spot the attack and react accordingly — here are a few ways security analytics can help with that.
Security analytics for detection and response
Security analytics tools and technologies can help with faster detection and response because of their ability to analyze a wide range of data from numerous, distributed sources, allowing organizations to easily connect various alerts anomalies and security incidents to recognize adversarial behavior.
This results in a few benefits:
- Better integration of relevant data from a wide and more diverse array of sources
- Improved visibility into increasingly complex IT infrastructure and a rapidly changing threat landscape
- Improved detection and forensics capabilities
- Elevated ability to prioritize and take appropriate action on the most critical threats
- Increased visibility into and the ability to better monitor the internal network
- Increased visibility into your regulatory compliance environment, including HIPAA, PCI DSS and others
- Enhanced ability to adhere to compliance regulations and industry standards, including evolving policy changes
By maximizing the effectiveness of detection and response tools, security teams can focus on:
- Insider threat detection: Because insiders often have credentialed access to sensitive data and systems, they can present an even bigger threat to enterprises than external actors. Security analytics gives you the ability to get one step ahead of malicious insiders by detecting unusual login times, unauthorized database requests, abnormal email usage and other aberrations, while also looking for indicators of data theft.
- Unauthorized data access: Any unauthorized movement of data either in or out of your network can indicate data loss or theft. Security analytics help protect data from leaving your organization, which can often evade traditional data loss prevention solutions, and can even discover data loss in encrypted communications.
- Cloud security monitoring: While the cloud accelerates digital transformation efforts and streamlines operations, it also creates new cybersecurity challenges by rapidly expanding the attack surface and leaving room for a host of new vulnerabilities. Security analytics offers cloud application monitoring that scours for threats and protects data on cloud-hosted infrastructure.
- Network traffic analysis: With network traffic constantly moving at high volumes, it’s challenging for security analysts to maintain visibility into every communication and transaction. Security analytics provide a window into the entirety of your traffic, giving you the ability to analyze and detect any network anomalies, while also working in tandem with cloud security monitoring tools to detect threats in your cloud environment.
Security analytics lets you see the big picture
As attack surfaces expand and the threat environment becomes more complex, organizations will inevitably face more hurdles in managing their data — opening the door for attackers and threats to enter the network under the radar. Security analytics answers this problem. By aggregating, correlating and analyzing the entirety of your data, security analytics gives you a clear and comprehensive window into your threat environment that will let you see — and prevent — emerging attacks well before they compromise your data and harm your organization.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.