Organizations today rely on IoCs (Indications of Compromise) which focus on specific tactics, techniques and procedures (TTPs) that are ever-changing, instead they must analyze behavioral activity across multiple data dimensions to find the sequences of IoAs (Indication of Attacks) mapping to the steps of the Cyber Kill Chain.
[quote font=”tahoma” font_size=”13″ font_style=”italic” color=”#262626″ bgcolor=”#f9f9f9″ bcolor=”#5b9cc0″]
“Any next-gen analytics solution should be able to identify high-risk security threats such as data exfiltration, adversary reconnaissance and adversary lateral movement.”
Surjit Das
Principal Consultant
Fraud & Cyber Intelligence, SAS
[/quote]
What’s driving the Sophistication of Cyber Security? Analyst firm, Gartner says that By 2018, at least 60% of major cloud access security broker vendors and 25% of major SIEM and DLP vendors will incorporate advanced analytics and UEBA (User Entity Behavior Analytics) functionality into their products, either through acquisitions, partnerships or natively. By 2018, deep learning will be incorporated into at least one UEBA product, and, by 2019, this number will rise to at least 20 UEBA products.
Most security operations today are reactively focused on IoCs. By that time, the damage is done even if adversaries haven’t reached their goals. Security teams aren’t able to operate as efficiently as they can and it’s a perpetual struggle to keep up with the changing landscape. Since IoCs focus on TTPs that are ever-changing, organizations must analyze behavioral activity across multiple data dimensions to find the sequences of IoAs mapping to the steps of the Cyber Kill Chain.These sequences can be used to identify risky activity and to calculate security risk. Unfortunately, helping organizations move towards a more proactive security, detection and analysis of IoAs is a universal goal that the industry hasn’t delivered on well to date.
Rules are based on what a human knows about the data. When rules are not tuned properly, they generate too much noise and alerts that are not correctly prioritized. This is a common scenario among many large clients that use rule-based security monitoring systems that end up generating hundreds of thousands of alerts or more per day. Most importantly, humans cannot predict, what future attacks will look like. Statistical analysis and machine learning can find anomalies in data that humans wouldn’t otherwise know about.
Around 2010, Big Data became popular referring to the realization of massive amount of data, the pace at which it was being generated, and its many different types and formats. The term implied that Big Data initiatives included analytics to discover and apply new insights from this data. And as we’ve learned, many companies have struggled to realize sustained value from their big data initiatives. Many vendors (including open source) sprung up and were super active in this space. We believe we are again at an inflection point that will drive some standardization. Organizations are now realizing, that to successfully manage Big Data, what they need to do is adopt a consistent and full featured Analytics Platform that can operate at SCALE. Now SCALE isn’t just about handling Big Data. There are many aspects to it!
Quantity of analytics – Imagine handling thousands of models easily. Imagine creating those models, auto-tuning them, deploying them, monitoring them.
Complexity of the analytics – This allows all users to leverage much more complex algorithms, with more variables and segmentations of predictive models.
Streamlined deployment of those models so they can be deployed in operation in minutes instead of weeks or months! And you can scale your security operations with existing resources.
Security Analytics solutions ingest and correlate data from multiple disparate sources such as applications, data loss prevention, endpoints, IAM, and network flow data, providing necessary insight into user and device activity. Features such as security user behavior analytics (SuBa) provide insight into user activity to identify malicious users and compromised accounts. An external attacker may use compromised user credentials to access a system, but once the system starts to exhibit abnormal behavior, it will be flagged as suspicious.
In another instance, unusual behavior from load balancing device may not trigger alerts from SIEM or antivirus /intrusion detection system, resulting in megabytes of data exfiltration from the network. Network behavior Analytics can detect attacks that go undiscovered by the installed solutions.
To conclude, any next-gen analytics solution should be able to identify high-risk security threats such as data exfiltration, adversary reconnaissance and adversary lateral movement. Security analytics focuses on data discovery using data science, advanced statistical functions/ algorithms and visualization tools to reduce data complexity and rapidly sift through volumes of data to gain insights from traditional and non-traditional data formats. Industry is realizing the need for an analytics driven security operations architecture to combat the sophisticated Cyber Attacks we are witnessing today.
