Given that multi-stage attacks are becoming commonplace, and that there are significant challenges in detecting these advanced threats, can security analytics effectively help with attack detection on the inside of the network? Yes it can, but only if you keep a few things in mind.
Nate Silver, in describing his new website “FiveThirtyEight.com” upon its launch, alluded to how his data journalism website intends to be more like a fox in taking a pluralistic approach to contribute to our understanding of the news. We believe that security analytics is no different and also needs to be more fox like in its approach. Security analytics is not just about making bold proclamations based on spurious extrapolations from limited datasets but needs to take a more holistic approach to advance the understanding of security analysts – whether that be in support of their incident investigations, alert prioritization, or compromised user detection needs.
First, let’s debunk the myth that sophisticated, multi-stage attacks can always be detected in real-time. Doing so would mean raising alerts for variances seen during every stage of the kill chain, thus compounding the alert white noise problem for analysts, rather than mitigating it.
Customers will see tremendous value in security analytics if they take the approach that while it may not be able to automatically detect every single attack, it can most certainly shed deep insights that support human-driven workflows to detect and respond to threats.
Additionally, network behavior and traffic analysis can be used to spot anomalies, but must be correlated and fused with logs and other data sources (i.e., packets, flows, logs, files, alerts, and threat feeds) to provide rich, contextual information around those events. There are many network analytics solutions in the market that fail to deliver even the most fundamental correlation of IP addresses to users.
User behavior analytics (UBA) can also be a useful tool to help detect compromised users, but it needs to be applied on diverse data sources, not just a few authentication logs. This allows multiple abnormal activities on the inside such as command and control activity, privilege escalation, lateral movement or abnormal resource access to be correlated over time to present a high fidelity user- or host-level risk profile. And there is simply no alternative to storing detailed forensic information in support of the probabilistic results generated by UBA. Without it, analysts will be forced yet again to triangulate between myriad systems to determine if the generated anomalous security event was real.
In addition to enabling the detection of the most insidious attacks, analytics can play a pivotal role in surfacing insights into what might truly be happening in an organization’s network. The power of machine-assistance can be leveraged to increase the efficiency of incident investigation, alert prioritization, incident response and threat hunting – all fundamentally human-driven activities. For example:
- Investigations have to go back further in time to be of true value. One customer told us their median time for investigating incidents was 262 days. Imagine having to go back 262 days to investigate an incident and triangulate exactly what happened. Can you perform such an investigation and do so within hours and not weeks?
- Prioritizing the right sets of alerts and being able to triage them effectively. Customers are flooded with what they see as excessive alerts in their network, eroding the productivity of their analysts and lowering the organization’s effective security profile.
- Gaining user-level security insights across the vast volumes of data already present in their environment.
- Using the power of analytics to tag data in interesting ways to make threat hunting extremely efficient.