The threat landscape gets more difficult to navigate every day. Organizations of all sizes are struggling to stay ahead of the latest threats and to keep up with all of the security data they are taking in. There is not enough time in the day and resources available to effectively process and analyze all of this data. Midsized enterprises in particular, who often have limited security resources, are especially feeling this pinch. These companies would benefit from a platform to help cut through the noise and identify the most important threats facing their networks right now. Security Analytics, which combines traditional security analytics products with SIEM platforms, is emerging as a new market. Some industry analysts are viewing Security Analytics as SIEM 2.0. In the following blog, I will provide clarity around what this emerging market is, and the value of these platforms to you and your organization.
What is a Security Analytics platform and is it right for you?
Security analytics has come to the forefront largely in the last couple of years. But if you ask ten people what it is you are likely to get 10 different answers. Forrester defines security analytics as: “Solutions that use machine learning and big data infrastructure to converge logging, correlating, and reporting feeds from security information management (SIM), security solutions, network flow data, external threat intelligence, and diverse endpoints and applications with an aggregate, single pane of glass to detect threats and malicious activity.”
Here at AlienVault we try to simplify it a bit. A security analytics solution is simply a scalable platform to collect, correlate and analyze security event data from across your network, utilizing threat intelligence to provide the visibility needed to accelerate threat detection and response.
If you cut through all the noise, the crux of the issue is this: does the solution enhance your ability to detect threats and prioritize response? Without that, you’re simply using up your IT budget on a solution with an interesting name.
The “big data” component of security analytics is an interesting one to consider as well. Big data has become a loaded term in the technology industry, but we think it is apt to use it when describing the underpinnings of a security analytics platform. An effective security analytics solution needs to leverage a big data platform as there is simply too much data to wade through. Organizations need a platform to capture all of this data, parse it, and effectively correlate it. And the solution needs to have some “smart” algorithms applied to the data correlation, which is essentially what any practical definition of big data includes.
Regardless of which definition and which terms you prefer to use, in evaluating a security analytics platform you should focus on the capabilities. Following are a few critical things a security analytics or similar solution must do:
- It must aid in threat analysis
- It must utilize threat intelligence (either native to the platform or external)
- It needs to leverage machine learning
So above all else, any security analytics solution must enhance your threat detection and response capabilities.
Let’s look at each of these items in a bit more detail.
First and foremost, security analytics solutions must aid in threat analysis. Threat analysis is a demanding, time-consuming exercise for security practitioners. It requires you to stay current with the latest threats, techniques, and vulnerabilities, and then apply this knowledge to the activity in your environment. To do so, you need a massive threat data collection process, advanced analytical capabilities to process the data, and time.
A security analytics platform delivers this threat analysis capability by analyzing and correlating your security data, ingesting threat intelligence, and then delivering prioritized threat detection and response guidance.
As noted, a good security analytics platform must utilize threat intelligence. Threat intelligence is another loaded term, with numerous definitions depending on who you talk to. But we here at AlienVault define it as actionable information that every organization needs about the latest threats facing their network in order to detect and effectively respond to threats. Why is threat intelligence important? It is the essential output of an organization’s threat research and analysis process. It tells you what the threat is, where it’s originating from, which assets in your environment are at risk, and how to respond.
Threat Intelligence enables the security analytics platform to cut through the noise and focus your resources on the most important threats facing your network. Therefore, it is critical that any effective security analytics platform utilize threat intelligence.
Threat intelligence can be natively produced by your security platform, or it can be ingested from a 3rd party service. Either way, it is a critical component of the threat detection and response process.
A good security analytics platform will also leverage machine learning. What is machine learning when applied to cyber security? Essentially, we’re talking about applying an analytics engine or an analytics process to incoming data when evaluating threat indicators to identify anomalies and to uncover new and/or critical threats. This analytics engine needs to be able to leverage past information to identify new threats. There is simply too much data and too many possible connections to make for the typical security team to handle it on their own.
As such, it follows that machine learning is a critical component of a security analytics tool. One caveat is that this machine learning capability needs to allow for human input to apply the proper context and nuance to the information surfaced during the threat evaluation and discovery process.
Organizations of all sizes, but especially midsized enterprises, are swimming in security data, and simply don’t have the resources and time to effectively navigate the threat landscape on their own. As shown above, security analytics solutions can deliver critical functionality to assist the mid-market company with threat detection, prioritization, and response guidance. Remember to look for a security analytics platform that unifies all the necessary security capabilities including threat analysis, threat intelligence and machine learning.
AlienVault delivers all of these capabilities in a single platform at an affordable price point. Our solution is called Unified Security Management (USM).
- Threat analysis, delivered by the AlienVault Labs research team, in the form of detection capabilities and response guidance
- Threat intelligence, which utilizes machine learning to generate the threat intelligence, delivered to the USM platform
- A Big Data platform in the form of the Open Threat Exchange (OTX) database, maintained by the AlienVault Labs team
- Five essential security tools, including Asset Discovery, Vulnerability Assessment, Intrusion Detection (both NIDS and HIDS), Behavioral Monitoring, and Security Information and Event Management (SIEM)
- Prioritized threat detection and response guidance
- Reasonable pricing for companies with limited IT resources
All of the above comes integrated in one platform, out of the box.