Security Analytics – Looking Beyond the Buzzwords

As new security breaches continue to be identified at big-name companies, “cyber” buzzwords keep coming up in everyday discussions. Terms such as “APT”, “Spear Phishing”, “Cyber Kill Chain” and “Advanced Malware” have become major talking points.

Security companies are coming up with solutions that provide advanced threat intelligence, machine learning algorithms, advanced behavior analytics and other complex techniques as ways to combat cyber-security challenges.

Putting buzzwords and techniques aside for a moment, think about the challenges with recent breaches. What do we learn?

Take the latest Anthem breach, for example. An Associated Press article suggested that credentials of five tech resources within Anthem may have been comprised. The attack was uncovered when a systems administrator noticed a database query being run using his identifier code, although he hadn’t initiated it. The Premera Blue Cross breach provides another example. According to a Wall Street Journal article, the attacker gained unauthorized access to the systems, thus potentially allowing access to personal information.

Does this surprise us anymore? Many recent breaches are linked to compromised credentials, account takeover or misuse of credentials. The attackers may get into your environment using sophisticated techniques, but ultimately they will need to use valid credentials to access the data of interest.

How can Security Analytics help?

The actions of attackers tend to blend in with the daily authorized activities of users. Security Analytics derives a baseline for normal activities without having to manually define what is bad. These could be baselines for queries run on databases, processes run on POS devices or patient data accessed through a healthcare application. Once a baseline is established, Analytics can detect anomalous activities.

Identifying anomalous activity is a step in the right direction; however, without adequate “context,” this information may not be actionable. In that case, it just adds to the noise and the number of false positives.

This leads to the question of how to build the right context that makes these anomalies actionable.

For this, you need to know which events to baseline on your systems, how to correlate the anomalous events with other data sources, how to identify sequence of events is suspicious and finally, how to recognize known bad events which in isolation might not mean much but in the context of the anomalies could be very suspicious.

While many security companies offer Security Analytics based solution, only a select few have been able to package the right context data into out-of-the-box threat models.

In working with Fortune 500 companies with massive volumes of data, I have realized that unless you have out-of-the-box threat models which are industry specific, it may take months of data crunching to arrive at actionable threats.

You must also consider infusing human intelligence into Security Analytics. Your knowledge of the environment can be critical in prioritizing threats. Questions to consider:

  • Are certain assets more critical than others?
  • Are there certain data elements (keywords, file types) that are more sensitive?
  • Can you designate certain users as high risk?

Lastly, but equally important: can your Security Analyst visualize the anomaly that the Security Analytics solution identified? Is he able to drill down and look at the root cause? For a Security Analyst, having full context for the anomalous activities and surrounding events is critical to either act urgently or quickly disregard them as false positives.

In summary, as attacks get more complex and diverse, Security Analytics can be the solution to identifying malicious activities that blend in with your daily activities. However, mere complex algorithms are not going to be sufficient. Applying the right threat models, infusing human intelligence and visualization are the keys to success.