«

»

Mar
27

Opinion: How do Security Analytics help keep networks secure?

From: ABC (Australia)

Shaun McLagan

Albert Einstein said once that if he were seeking a needle in a haystack, unlike others, he wouldn’t stop when he found a single needle but would instead look for all the possible needles. That’s a well advised approach for security analysts; after all, the accepted position today is that miscreants will get in. The challenge is to identify the breaches and deal with them as soon as possible, thereby reducing the window of opportunity for damage to be done.

If the needles are the attackers, then the hay is the mass of connections, data, exploits, networks, malware combinations, devices and people who populate the online world. The art and science of information security technology has taught us that attackers are ingenious in their exploits. Identifying and quantifying risks has, therefore, always presented a thorny problem, with the deck stacked against those who seek to defend and in favour of those who seek to attack.

A further challenge is that increasingly sophisticated cybercriminals tend to know what methods defenders are practising so they employ strategies and tactics which can circumvent those.

But the tables are starting to turn. The defenders are obtaining new tools which take the fight straight back to cyber miscreants, and those tools combine a range of existing technologies and methods with Big Data.

Known as Security Analytics, the concept is straightforward – the more useful information there is made available to access and analyse, the more defenders know, and the more they know, the better they can anticipate and eliminate threats to the security of data and systems.

The problem

While technologies and processes to prevent attacks are necessary (common ones include antivirus, intrusion detection and firewalling), attackers are likely to be using methods or exploits which won’t be stopped by these technologies and processes. Instead they remain undetected on the network, observing user behaviour and then try to mimic that behaviour to gain deeper network access and by doing so, create an anomaly. The early detection of anomalies is, therefore, increasingly important, as this can be the sole signature of a ‘new’ attempt to break in.

This raises the necessity for security monitoring across the full spectrum of what is encountered on the network and the internet. The immediate issue is one of both complexity and volume. Once you factor in the enormous range of threats faced by any organisation using information technology, the probability increases that there are gaps appearing in their armour – even if they have the most secure individual components.

Security Analytics takes the existing concept of Security Information and Event Management (SIEM) a few steps further by acting as an aggregator. It brings together technologies from the existing security and non-security technology categories of Network Security Monitoring, malware analytics, forensics, compliance, and Big Data management and analytics. It combines a cross-discipline set of techniques to take advantage of information management technologies and security solutions to deliver insights which were never before possible.

Compliance isn’t enough

High-profile security breaches are not uncommon. Some of the world’s most recognised companies, which have invested in, and passed all legally binding requirements for data security, still fall victim to cyber attacks. This is a stark reminder that regulatory compliance, while necessary, is not sufficient. Again, attackers probably know the law just as well as the compliance officer does and, therefore, know how to circumvent it.

Security Analytics takes defence several steps further. It doesn’t necessarily look for ‘classic’ signs of compromise, but instead seeks out any unusual or anomalous behaviour. It does this on a massive scale and at breakneck speed. The result is that it draws the early attention of security analysts in their work to detect, investigate and remediate security threats. A better-equipped security team achieves compliance almost as a by-product of their central focus and keeps the network safer as a result.

Next-generation Security Operations Centres (SOC)

Businesses are recognising the necessity for security monitoring, borne out by Gartner statistics, which have revealed that 22 per cent of organisations have implemented a monitoring system or are currently in the process of doing so, and a further 21 per cent plan to do so in the next 12 to 24 months.

With security monitoring firmly in the spotlight, organisations should be questioning whether traditional SIEM solutions do enough to keep smart, well-resourced and determined attackers out. Since attackers are likely to know what these solutions are looking for, the answer is ‘no’.

Security Operations Centres (SOC) need detection capabilities which go beyond the traditional security paradigm. Security Analytics, providing a level of protection that enables organisations to gain control of digital risks, know how critical the threat is, and reduce the amount of time an attacker can roam free in the network from weeks to hours.

Shaun McLagan is General Manager, Australia and New Zealand at RSA, the Security Division of EMC

Leave a Reply

Please Answer: *