The case for cybersecurity analytics
by Liz Goldberg, Product Marketing Manager, SAS Cybersecurity Practice
Five years ago, security experts probably didn’t view analytics as a primary weapon to help fight cybercrime. The tools focused on attack prevention and were designed to keep people away from sensitive information and network assets.
Those weapons are still useful, but analytics adds a new arrow to the security quiver. It’s almost impossible to prevent intrusions. But think about what happens when every successful intrusion occurs. The attacker creates a network event trail. This trail provides a fingerprint of the intruder, marking the steps he’s taking in the network to pursue his goal.
The data generated by the attacker’s actions is the hallmark of cybercrime. And that’s the reason analytics is becoming a valuable weapon in the cybersecurity fight. The data to investigate and fight cybercrime is there. There are multiple systems in place that have the ability to gather and monitor the data needed to fuel faster cybercrime detection.
The goal for your cybersecurity team will be to figure out how to make that data work for you. With more data, you need analytics to organize, contextualize and ultimately find the hidden meaning.
Cybersecurity analytics: How we got here
The use of data to fight cybersecurity threats is nothing new. For years, organizations have used whatever data was available to combat intrusions.
Consider something as straightforward as a log file. A method for documenting a system’s events is as old as computer systems and networks themselves. This information has often been a good source for tracking down what happened – after the fact. If a breach occurred in a certain area, the log data could lead back to the point of intrusion.
That information is now even more important for two reasons. First, there are more connections to your network today, including from staff, partners and customers who can access data from outside of your firewall. Second, there are simply more systems and more people accessing these systems, meaning log data is increasing exponentially.
In a recent report by the SANS Institute called Using Analytics to Predict Future Attacks and Breaches, SANS analyst David Shackleford uses this example and others to show the benefits and shortcomings of traditional detection capabilities.
The report evaluates attack detection technologies tools like logging, network device events, security information and event management and file integrity monitoring. Each of these systems are important to an organization’s network defense arsenal, but there are often limitations to their use in fighting modern cybercrime. Shackleford writes:
Despite these tools, some security teams are less effective than they could be because these disparate tools and platforms generate an overwhelming amount of data. Security teams are trying to incorporate numerous controls with detection events into their response processes, and it can be easy to miss events and indicators of compromise.
Cybersecurity + analytics = Better network visibility
How does analytics make a difference in the world of cybersecurity? Here are three areas where analytics can turn massive amounts of data into meaningful information.
- Establish context – Network data is massive. While this data can tell you a lot, it’s important to understand the business context behind the behavior. For example, how is this particular machine acting compared to its peers? With this knowledge, you can better evaluate if that behavior is normal.
- Provide meaning – The beauty of analytics is that it does the heavy lifting for you. Your security team doesn’t have to sift through the data to look for events that raise issues and require additional investigation. More importantly, advanced analytics using modern computing platforms can go deeper into the data to find patterns and connections that might not be available otherwise.
- Make it visible – It’s not just about getting answers. You need to do something with what you learn. Analytics needs to be integrated into your incident response program.
As the SANS report indicates, “…attackers are taking advantage of the fact that organizations are not finding the indicators of compromise within their environments soon enough, nor are they responding to these incidents and removing them quickly enough.” With these three guidelines, you can turn cybersecurity analytics into an important method of identifying and remediating these security gaps.