Security Analytics: Shedding Light on a Dark World

Chief Product Officer, BAE Systems Applied Intelligence
Security analytics comes down to looking deep inside the business to understand what data is being analysed and what methods are being employed to do so.
Security AnalyticsHow easy life would be if security analytics were something you could ‘bottle up’ and deliver to those that needed it – almost like a medicine to relieve their security aches and pains, and get them back up on their feet again.
Sadly, most things in life are not that simple. And yet there are many in the industry who believe that ‘security analytics’ is a technology in its own right. Wishful thinking? Perhaps. Or maybe it’s a case of those seeking a single, nicely packaged solution being told there is one.
In other words, a customer with an urgent problem to solve will always find someone with a product to sell them. Just how appropriate that might be in meeting their requirements becomes the question.
There’s no doubt that security analytics is a grey area – even a black hole – when it comes to defining what it is and does. Ultimately, there are lots of specific techniques and technologies contained within this umbrella term, but not all are pertinent to every security problem to which they tend to be applied.

What is security analytics really all about?

The reality is that customers have overinvested in security tools – and yet still there is no silver bullet. So, it’s worth stepping back a moment and asking the question: “What is security analytics really all about?”
To my thinking, it’s about finding ways to process large amounts of data to help security practitioners do their jobs better. That means stepping away from the ‘Invest-Reinvest-Invest Again’ cycle and making existing tools work better together through MSS, and then Security Analytics, as a method to threat-hunt within client data.
Security analytics comes down to looking deep inside the business to understand what data is being analysed and what methods are being employed to do so. That will ensure the right issues are identified that need to be resolved – and then having existing tools configured to execute on that.
Such tools work best in an advanced SOC environment, where a combination of integrated tools, automation, orchestration, threat-hunting and incident responders are constantly at the ready. Equally, this gives organisations full visibility across digital channels, not just limited to netflows or SMTP, as is too often the default position.
Other essentials for optimising security analytics?
  • Seek out slow and low APTs – not just analysing a weeks’ worth of logs, but 30 days plus. Anything less than that and there’s high probability something critical will be missed
  • Monitor and alert in real time, not just via a 7-day reporting system where the threat impact will only intensify.
Pushing the limits of your existing tools in this way will help expose attacks that would otherwise have been missed, while also speeding up the processing of security alerts – for example, by automatically categorising them or suggesting remediation actions.
In summary, forensically analysing existing log data to hunt for loitering threats is a must for any organisation. Why not step inside our SOC and see how we do it.
Neal Watkins Chief Product Officer, BAE Systems Applied Intelligence 19 December 2016