Many organizations use analytics as an integral part of their businesses operations — to proactively uncover hidden meaning behind customer behavior, improve service delivery and identify fraud, to name a few. More recently, analytics has also been a part of organizations’ IT security operations, though largely limited to forensic investigations. While forensics are an important tool in the security engineer’s toolbox, they only show what’s already happened. They can’t detect current threats in the network now.
Seeking better situational awareness — and earlier threat detection — organizations often capture network data and store it in massive data lakes for analysis. However, this practice has a limited effect on moving security analytics earlier in the kill chain. In the data lake, the network data may be in different collections or siloes, resulting in a less-than-full picture of the current security posture. As organizations further comprehend the potential of Hadoop, more will likely move their analytical capabilities closer to the data. With these capabilities where the data is, not where it’s stored, organizations can increase their understanding of what’s happening in their networks.
Security analytics on high-speed, high-volume data provides the best opportunity for organizations to review good and bad network traffic.
Here, security analytics can help reduce the time to detect a significant threat, identifying abnormalities indicative of threats during delivery, exploitation, installation or command and control activities. Security teams can then take the appropriate action to reduce the risk of further threat escalation and success.
Finding threats before the attacker has a widespread presence also helps the organization lower investigation and remediation costs. IT teams may have fewer devices that require reimaging or replacement, lowering operating costs. Detecting subtle behavioral anomalies on a dormant attacker is computationally more complex — an organization could spend more resources confirming exfiltration indicators than detecting suspicious behaviors before they became a problem.
Security analytics on high-speed, high-volume data provides the best opportunity for organizations to review good and bad network traffic, made possible by advances in hardware, software and streaming technologies. This behavioral security analytics requires a significant shift in security philosophy: we are no longer looking just for what we know to be bad, but are instead looking for divergence from known normal. With a better understanding now of what’s normal and what’s not, organizations can move the needle on threat detection.
Sheldon Shaw is a cyber analytics specialist with SAS. Having spent the last 20 years working with Data, Information and Intelligence Mr. Shaw brings a variety of experiences and interests to the Analyitcs field. Mr. Shaw spent 15 years working in the National Security community and now engages clients in a myriad of conversations from big data analytics to cyber to the security of things (SoT).
LinkedIn: Sheldon Shaw
Let us know, what do you think about the article in the comments down below!