Data Insider

What Is Cybersecurity Analytics?

Security analytics is a proactive approach to cybersecurity that uses data collection, aggregation and analysis capabilities to perform vital security functions that detect, analyze and mitigate cyberthreats. Security analytics tools such as threat detection and security monitoring are deployed with the aim of identifying and investigating security incidents or potential threats such as external malware, targeted attacks and malicious insiders. With the ability to detect these threats at early stages, security professionals have the opportunity to stop them before they infiltrate network infrastructure, compromise valuable data and assets, or otherwise cause harm to the organization.

Security analytics solutions aggregate data from numerous sources that include endpoint and user behavior data, business applications, operating system event logs, firewalls, routers, virus scanners, external threat intelligence and contextual data, among other things. Combining and correlating this data gives organizations one primary data set to work with, allowing security professionals to apply appropriate algorithms and create rapid searches to identify early indicators of an attack. In addition, machine learning technologies can also be used to conduct threat and data analysis in near real time.

This article explores the features and benefits of a security analytics platform, the most significant security threats to your organization, various security approaches, and how security analytics can help you proactively prevent attacks and keep your environment safe.

What is a security analytics platform?

A security analytics (SA) platform, also known as a network traffic analytics platform, is a tool that provides proactive network security functions via behavioral machine learning or analytics technologies. Security functions include detecting, monitoring and analyzing various security events, attacks and threat patterns — all working together within a single application and using the same underlying data structures. Security analytics platforms are also scalable, with the ability to accommodate increasingly larger networks and number of users as the business grows.

While feature sets vary, many security analytics platforms offer the following capabilities:

  • User and entity behavior analytics (UEBA)
  • Automated or on-demand network traffic analysis
  • Threat intelligence
  • Application access and analytics
  • DNS analysis
  • Email analysis
  • Identity and social persona
  • File access
  • Geolocation, IP context

One of the benefits of a security analytics platform is that it allows administrators and analysts to customize existing threat models or create entirely new ones based on the threat environment and their organization’s specific needs. The relevant security information is visually displayed in an accessible, user-friendly interface that provides actionable insights, and allows administrators to prioritize and respond to the most serious threats first.

What is unified security analytics?

Unified security analytics is a security analytics approach that incorporates machine learning, anomaly detection and predictive risk-scoring along with data science, to identify behavioral aberrations and suspicious activities that might indicate the presence of security threats. Unified security analytics will generate a consolidated, dynamic risk score for every incident or detected activity. Models are pre-programmed to predict and detect threats according to use case, industry vertical, threat framework and compliance regulation requirements, among other criteria. Because these contextual alerts prioritize risk and detect threats as they occur, unified security analytics can help mitigate some of the most serious security threats before cyber attackers can inflict damage.

What are different types of security analytics tools?

There are numerous security analytics tools on the market today, many of which help enterprises detect and prioritize threats, while also creating response strategies, analyzing adversarial behavior and iterating against potential attacks.

Some standard security analytics tools include:

  • Behavioral analytics: Behavioral analytics examines the patterns and behavioral trends of users, applications and devices to identify abnormal behavior or otherwise detect anomalies that could indicate a security breach or attack.
  • External threat intelligence: An external security services firm may offer threat intelligence as part of its portfolio. While not security analytics per se, TI platforms supplement the analytical process.
  • Forensics: Forensic tools are used to investigate past or ongoing attacks, determine how attackers infiltrated and compromised systems, and identify cyberthreats and security vulnerabilities that could leave an organization susceptible to a future attack.
  • Network analysis and visibility (NAV): NAV is a collection of tools that analyze end-user and application traffic as it flows across the network.
  • Security information and event management (SIEM): Security information and event management combines a series of tools to provide real-time analysis of security alerts generated by network devices and applications.
  • Security orchestration, automation and response (SOAR): Security orchestration, automation and response (SOAR) is the hub that ties together data gathering capabilities, analysis and threat response.

Organizations have a choice of hardware, software or virtual appliances, which will also need to complement and integrate with their existing infrastructure. Some security analytics vendors specialize in specific types of threats, such as advanced persistent attacks. Other vendors cater to specific verticals such as healthcare or financial services, in which regulatory compliance auditing violations for mandates such as HIPAA or PCI DSS might be a concern.

To find the right security analytics tool, businesses will need to consider the type of deployment and feature sets that they require, the types of threats that they or their industry regularly face and the type of solution that best fits within their budget.

What are some expanding attack surfaces that present the most risk?

The “attack surface” of an enterprise incorporates both the publicly and privately exposed points, known as “attack vectors,” between an organization’s data and the interfaces that create human access points to that data. An “attack vector” describes the route that an adversary or malware program could potentially follow to breach a network or system to steal or compromise data.

There are numerous ways that adversaries can enter an organization’s network for nefarious purposes. Some of the expanding attack surfaces that present the biggest opportunities for hackers include:

  • IoT and connected devices: Often unmanaged IoT devices either aren’t equipped with adequate security policies and endpoint controls, or lack them altogether. This makes it extremely difficult for security professionals to understand how these devices communicate with the network, creating blind spots that leave the devices vulnerable to attack.
  • Misconfigured cloud servers: While cloud server misconfigurations often originate as a simple mistake made during the deployment of cloud resources, they can easily open the door for network intruders and leave the entirety of an organization's data vulnerable to attack. As companies increasingly adopt cloud services while not adding the appropriate security measures, they’ll also be subject to a higher risk of data breaches attributed to misconfigured servers.
  • Vulnerable mobile devices: Mobile app vulnerabilities along with a rising number of mobile threats can subject organizations to data loss and identity theft when attackers enter the network via laptops, tablets and smartphones. To help prevent these kinds of attacks, organizations need to thoroughly assess their mobile apps and infrastructure in their environment for security vulnerabilities and privacy flaws.

What is a security analytics approach in a hybrid or multicloud environment?

With data spread across a hybrid multicloud environment, it is necessary for security teams to gain meaningful security insights that will help them detect and prioritize threats — both internal and external — and determine the level of risk within an organization. However, a highly distributed environment and siloed datasets can make it difficult for security teams to see a big picture of their security environment or garner the right insights to create adequate defenses.

A security analytics approach can overcome visibility and data challenges created by a hybrid, multicloud environment in the following ways:

  • Connecting data silos: A security analytics approach gives administrators the ability to run comprehensive or customized queries and searches across the various data formats that connect siloed, disparate or highly distributed information to generate meaningful security insights. By accessing the entirety of their data, security teams can then make more informed, risk-based decisions that will protect and benefit their organization.
  • Automating incident response: In a hybrid cloud environment, it is essential to automate labor-intensive, repeatable and mundane tasks by applying orchestration capabilities to identify threats and anomalies. Automating routine tasks also helps streamline known security processes so administrators can focus on high-priority efforts such as threat hunting and forensic investigations.
  • Providing a unified interface: Security teams are often inundated with security tools and technologies, making it increasingly challenging to manage, maintain and report on security outcomes. A security analytics approach typically operates with one common interface that allows administrators to easily identify what needs to be done, and then seamlessly pivot from one task to another. This in turn enhances speed and agility of responses and frees up time to deal with more pressing issues.

Do security tools help with security analytics?

Many organizations are rapidly adding to the number of security tools in their environment — often to satisfy increasingly rigorous compliance regulations, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act and others.

However, instead of helping teams with security analytics, the rapid addition of security solutions and services over the last few years has increased the complexity of these environments, creating impediments and blind spots that can delay identifying and responding to security threats. Also, with the explosion of disparate and disconnected point solutions, chief information security officers (CISOs) are facing new challenges when demonstrating adequate return on investment (ROI) for their purchases, which call into question future security infrastructure investments.

Consequently, many organizations are simplifying their security environments — a move that streamlines operations, accelerates the time it takes to identify risks and address threats, and increases overall ROI in security investments.

What are some of the biggest data security threats?

There are numerous security threats that can put an organization’s data at risk of compromise or attack. While no means exhaustive, here are a few of the most significant threats most organizations are likely to encounter.

  • Social engineering: Data commonly leaves organizations when attackers trick employees into giving away login credentials or installing malware that records keystrokes. As phishing attacks and social engineering ploys continuously appear more authentic, organizations will need to invest further in security defenses and employee training to prevent a momentary lapse of judgment from bringing down a network.
  • Malicious insiders: Often some of the biggest cyberthreats are insiders who already have network access and intimate knowledge of intellectual property, blueprints, valuable data and other business assets. Thus, organizations need to pay special attention to anyone with access to their corporate data, including employees, partners, and third-party vendors, who have the potential to misuse privileged access and disrupt operations.
  • APTs and advanced malware: Malware authors are constantly evolving their techniques, which now include new forms of ransomware, Advanced Persistent Threats (APTs), fileless malware attacks and “stalkerware.” To protect their networks, organizations will need to invest in new ways of proactively anticipating malware behaviors, isolating attacks and detecting evasive threats that obfuscate their presence.
  • Distributed Denial of Service Attacks (DDos): DDoS attacks, which bombard a victim’s computer or network with a surge of bogus traffic, can prevent organizations from accessing their data, slow their networks, or shut down their web resources altogether. To avoid incurring significant damage to the business, organizations need to invest in advanced network traffic analysis while also creating strategies to optimize defenses and continue operations should they fall victim to an attack.
  • Unpatched vulnerabilities: Programs that aren’t regularly updated create fertile ground for cyberattackers aiming to exploit unpatched, or unknown, vulnerabilities. However, these threats are also some of easiest to prevent if they are detected and repaired early on.
  • Compromised and weak credentials: One of the top attack vectors continues to be compromised credentials, especially as users recycle the same passwords for multiple accounts. Defenses such as multi-factor authentication, password managers, and comprehensive user-training on identity best practices can help minimize entry via this attack vector.
  • IoT attacks: Connected Internet of Things (IoT) devices such as routers, webcams, wearables, medical devices, manufacturing equipment and automobiles not only greatly expand the attack surface, they often lack adequate security measures, opening the door for destructive cyber attacks. Once taken over by hackers, IoT devices can wreak havoc on systems by overloading networks or locking down critical infrastructure. Increasingly, organizations relying on connected technologies will need to invest in tools that monitor for vulnerabilities in infrastructure that leave them susceptible to a potential attack.

What are some proactive security approaches?

A proactive cybersecurity approach is one that preemptively identifies and addresses security threats and vulnerabilities before an attack occurs. This approach can include established frameworks, such as the Cyber Kill Chain or the MITRE ATT&CK Framework, that help security professionals get ahead of threats by anticipating their behaviors in a wide variety of contexts.

The Cyber Kill Chain is a series of ordered steps that outline the various stages of a cyberattack as they progress from reconnaissance to data exfiltration, which help security analysts and professionals understand attacker behaviors and threat patterns. First conceived as a military defense mechanism by weapons manufacturer Lockheed Martin, the Cyber Kill Chain has evolved into a means of anticipating and identifying a wide range of security threats such as malware, social engineering, APTs, ransomware and insider attacks.

The Cyber Kill Chain incorporates eight core stages, a specific chronology of activities in a cyberattack:

  • Reconnaissance
  • Intrusion
  • Exploitation
  • Privilege escalation
  • Lateral movement
  • Obfuscation/ Anti-forensics
  • Denial of service
  • Exfiltration

The MITRE ATT&CK framework is a globally accessible knowledge base that provides a comprehensive representation of attack behaviors based on real-world observations. The MITRE ATT&CK Framework was created in 2013 by the MITRE Corporation, a not-for-profit organization that works with government agencies, industry and academic institutions. ATT&CK, which stands for Adversarial Tactics, Techniques and Common Knowledge, documents common tactics, techniques and procedures (TTPs) that cyber attackers employ when attacking networks, but without indicating a specific attack pattern or order of operation.

  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control

How can security analytics help with faster/better detection and response?

Security analytics tools and technologies can help with faster detection and response because of their ability to analyze a wide range of data from numerous, distributed sources, allowing organizations to easily connect various alerts anomalies, and security incidents to recognize adversarial behavior.

Some of the benefits of a security analytics platform include:

  • Better integration of relevant data from a wide and more diverse array of sources
  • Improved visibility into increasingly complex IT infrastructure and a rapidly changing threat landscape
  • Improved detection and forensics capabilities
  • Elevated ability to prioritize and take appropriate action on the most critical threats
  • Increased visibility into and the ability to better monitor the internal network
  • Increased visibility into your regulatory compliance environment, including HIPAA, PCI DSS and others
  • Enhanced ability to adhere to compliance regulations and industry standards, including evolving policy changes

What are some security analytics use cases?

Security analytics have many relevant use cases, ranging from improving network visibility to threat detection and employee monitoring. Here are a few of the most common use cases:

  • Threat hunting: To actively get ahead of the hackers, security teams need to proactively search for potential breach indicators and other threats lurking in IT infrastructure. Security analytics can automate these efforts, while also helping to identify specific types of evasive malware.
  • Insider threat detection: Because insiders often have credentialed access to sensitive data and systems, they can present an even bigger threat to enterprises than external actors. Security analytics gives you the ability to get one step ahead of malicious insiders by detecting unusual login times, unauthorized database requests, abnormal email usage and other aberrations, while also looking for indicators of data theft.
  • Unauthorized data access: Any unauthorized movement of data either in or out of your network can indicate data loss or theft. Security analytics help protect data from leaving your organization, which can often evade traditional data loss prevention solutions, and can even discover data loss in encrypted communications.
  • Cloud security monitoring: While the cloud accelerates digital transformation efforts and streamlines operations, it also creates new cybersecurity challenges by rapidly expanding the attack surface and leaving room for a host of new vulnerabilities. Security analytics offers cloud application monitoring that scours for threats and protects data on cloud-hosted infrastructure.
  • Network traffic analysis: With network traffic constantly moving at high volumes, it’s challenging for security analysts to maintain visibility into every communication and transaction. Security analytics provide a window into the entirety of your traffic, giving you the ability to analyze and detect any network anomalies, while also working in tandem with cloud security monitoring tools to detect threats in your cloud environment.

The Bottom Line: Security analytics lets you see the big picture

As attack surfaces expand and the threat environment becomes more complex, organizations will inevitably face more hurdles in managing their data — opening the door for attackers and threats to enter the network under the radar. Security analytics answers this problem. By aggregating, correlating and analyzing the entirety of your data, security analytics gives you a clear and comprehensive window into your threat environment that will let you see — and prevent — emerging attacks well before they compromise your data and harm your organization.