SANS recently released a sponsored report, “Analytics and Intelligence Survey 2014” by David Shackleford. I found the data interesting when read in detail, but would like to see more analysis and recommendations rather than graphs of data. I’ve followed Shackleford’s publications in the past, and this report may be more reflective of the sponsors’ areas of interest than his analytic abilities.
In Table 1. Impediments to Attack Detection and Response
The highest ranked is “lack of visibility into applications….” While certainly true, visibility alone won’t solve the problem. Security practitioners will never be experts at every application an organization needs to do business. Logs from applications without security relevance are as useless as not collecting the data in the first place. New techniques are required. Securonix uses user and peer behavior analysis to normalize and make sense of applications that often include only transaction data, by watching for unusual commands, unusual volume and peer anomalies any application can be baselined and unusual activity uncovered.
The second highest impediment to security is cited as “… [the] inability to understand and baseline ‘normal behavior’.” Work with many clients has shown this to be the bane of both management and security personnel alike. Security engineers are constantly trying to teach tools about what the network looks like, but have too little actual data themselves. Management struggles with the cost and number of people required to support effective security.
Machine learning algorithms and aggregation of new data sources (including identity data) in Securonix directly address this costly and common problem. The system now learns “normal” from logs and data sources, rather than having to be taught by a security team that may have too little knowledge of what they’re actually protecting.
Later in the paper, in the “Use Cases” section, a call for these new capabilities and techniques can be inferred from an analysis that states “…the top three use cases driving the tools and services today…” were “finding the unknown threat”, “insider threats”, and “visibility”.
In Table 2. Satisfaction with Analytics Capabilities Today
I found the satisfaction level for “Ability to quickly correlate events to users” to be higher than expected. Having presented at multiple SIEM conferences on the need for identity data, and having managed a team responsible for over 300 SIEM projects, I found identity data a rarity. Most threats are traced to an IP address and the user is at best inferred, based on who normally uses the host.
Understanding the user, their department, their job and role, can be the difference in identifying a threat and qualifying the event as normal within seconds rather than after days of investigation; the importance of which cannot be stressed enough.
Securonix, by actively connecting, collecting and correlating identity data from IAM tools, Active Directory and human resource flat files, is designed with user context in mind.
Figure 4. Detection and Response Team Size
More than 60% of companies have fewer than four people for all detection and remediation capabilities, an unfortunate fact that drives both the need for intelligent self-learning tools and proper training. Our staffs are “mean and lean” and likely to stay that way. We must enable them or join the ranks of the disgraced in the papers as our data is stolen and used against us.
Figure 6. Initial Security Event Detection
In a sad testament to our limited defensive capabilities, IDS and Endpoint AV are still the #1 and #2 detection techniques. Signature-based defenses cannot be relied upon to detect ever evolving attacks, nor can they prevent the insider (the second highest desired use case) or compromised accounts from stealing or tampering with our data.
Figure 7. The Role of Big Data in Event Management and Security Intelligence
Big Data has struck home for 61.4% of respondents as part of the future solution, while 34.5% are still skeptics. Hadoop (and its ilk), are here to stay. Big data alone is not a solution. Threat models that reach into big data with a purpose, producing security-relevant results are required. While interesting, data modeling and data science tools can answer only those questions the analyst knows to ask. Finding the unknown and insider is not a simple query.
Figure 8. Current and Planned Control Integration with Analytics
Shackleford posits the question “What types of detective technologies do you need….?” Relative to planned spending (red bars), NAC and Network Malware are #1 and #2 on the list. I believe the number one and two slots are at the top not because of capability, but because of a new popularity. The more interesting “user based monitoring” and “unstructured data analysis” as the #3 and #4 top needs fits more directly with other findings that indicate the need for baselining normal, finding insider threats and application visibility.
The next generation of user-based analytics with security-specific use cases are available to address these key needs today in Securonix.
Figure 12. Future Investments in Analytics/Intelligence
This shows “User Behavior monitoring”, “Big Data”, “Application Protection” and “Cloud based monitoring”, as high, but not top priorities which seems incongruent with the most needed use cases and areas of lowest satisfaction. Securonix has solutions for each of these new focus areas with content aimed squarely at solving the most sought after and needed new use cases.
I hope we will see future papers and posts on solutions to the areas identified by the 2014 surveys. If not, those interested need only call us, we’ve got you covered at Securonix. J