What is a security analytics solution?
Security analytics applications use both real-time and historical data to detect and diagnose threats. Sources of information include:
- Real-time alerts from workstations, servers, sensors, mobile devices, and other endpoints
- Real-time feeds from other IT security applications (firewalls, intrusion prevention, endpoint detection and response, etc.)
- Network traffic volume and types
- Server logs
- Third-party threat intelligence feeds
Security analytics combines data from the various sources and looks for correlations and anomalies within the data.
A security analytics tool may use different methods for analyzing the data. These include traditional rules-based methods, as well as statistical analysis and machine learning. The application can also incorporate other components to automate and orchestrate events.
The main elements of a security analytics solution are summarized below.
- Behavioral analytics. Abnormal behavior of end-users or applications often indicates a security breach or attack. Behavioral analytics studies patterns of user, application, and device behavior to identify anomalies. For example, financial services companies employ behavioral analysis to detect credit card fraud. An unusually high withdrawal (or a $1 test withdrawal) might signal a stolen card number. Likewise, an end-user who logs on at 2 a.m. to access systems not required for work, or an application that begins sending unusual queries and commands, could indicate a breach.
- Network analysis and visibility (NAV). A NAV application or device analyzes traffic from end users and applications as it flows across the network. The Forrester Wave for Security Analytics Platforms 2018 describes NAV as a collection of tools that includes network discovery, flow data analysis, network metadata analysis, packet capture and analysis, and network forensics.
- Security orchestration, automation, and response (SOAR). Security orchestration, automation, and response (SOAR) is the orchestration hub that handles communication between data gathering, the analysis engine, and threat response applications. Either the security analytics application or an external product such as a security information and event management (SIEM) application can provide SOAR capabilities. A SIEM collects data on network traffic, system events, and potential risks. It then performs analytical functions, such as correlation and statistical analysis.
- Forensics. Security data analytics solutions provide tools to investigate past or ongoing attacks, determine how the IT systems were compromised, and identify remaining vulnerabilities. This can help to ensure that similar incidents don't occur in the future. An example of a forensics tool is McAfee MVISION EDR, which includes artificial intelligence to help guide an investigation. A forensics tools can provide triage for a current threat, as well as case management to organize and summarize the evidence gathered on a suspected attack.
- External threat intelligence. Threat intelligence (TI) itself is not security analytics. However, TI platforms (TIPs) add context to an analytical process. A security software and services company may include a threat intelligence feed as part of its solution. Examples of intelligence feeds are the Department of Homeland Security's free Automated Indicator Sharing (AIS) and Ransomware Tracker, a Swiss security site that focuses on tracking and monitoring the status of domain names, IP addresses, and URLs that are associated with ransomware. McAfee Global Threat Intelligence is a comprehensive, real-time, cloud-based reputation service that develops reputation scores for billions of files, URLs, domains, and IP addresses based on threat data gathered from multiple sources. The sources include millions of global sensors that are monitored and analyzed by McAfee Labs, threat feeds from research partners, and intelligence from web, email, and network threat data.
These three components help a security analytics application detect and prevent complex cyberattacks, including advanced persistent threats (APT). APTs are conducted in stages, each of which might seem innocuous, but that together can create a breach. APTs are often called blended attacks, as they use multiple tactics. An APT may start with an email containing a malicious attachment or link. Once an endpoint is infected, the attacker can gain access to other systems.<
Benefits of security analytics
Security analytics tools can deliver benefits for:
- Rapid detection and response. Security analytics speeds detection and response to cyberthreats. Fast response can help IT to either prevent or lessen the damage that a breach causes.
- Compliance. A major driver of the security analytics market is the need to comply with government and industry regulations. Some regulations require monitoring and log collection for auditing and forensics, and security analysis applications can provide a unified view of all data events taking place. This provides both proof of compliance and the ability to quickly detect and fix instances of potential non-compliance.
Security analytics can help an IT department make sense of the volumes of data flowing in and out of its network and to quickly detect potential threats. By providing real-time intelligence and a historical record of past threats, a security analytics application can protect an organization from a potentially costly data breach or cyberattack. The safety of an organization's data and IT systems increasingly depends on having an effective security analytics solution.