Security analytics key to breach detection

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bankingexchange.com/news-feed/item/5474-security-analytics-key-to-breach-detection

Although security spending is at an all-time high, security breaches at
major organizations are also at an all-time high, according to Gartner,
Inc. The impact of advanced attacks has reached boardroom-level attention,
and this heightened attention to security has freed up funds for many
organizations to better their odds against such attacks by adopting
security analytics.

"Breach detection is top of mind for security buyers and the field of
security technologies claiming to find breaches or detect advanced attacks
is at an all-time noise level," says Eric Ahlm, research director at
Gartner. "Security analytics platforms endeavor to bring situational
awareness to security events by gathering and analyzing a broader set of
data, such that the events that pose the greatest harm to an organization
are found and prioritized with greater accuracy."

Now you SIEM …

When it comes to gathering masses of security data that can be analyzed to
bring greater meaning to security events, security information and event
management (SIEM) technologies are topping the list of likely solutions.

While most SIEM products have the ability to collect, store, and analyze
security data, the meaning that can be pulled from a data store (such as
the security data found in a SIEM) depends on how the data is reviewed.

How well a SIEM product can perform automated analytics—compared with user
queries and rules—has become an area of differentiation among SIEM
providers, according to Gartner.

Applying UBA analytics

User behavior analytics (UBA) is another example of security analytics that
is already gaining buyer attention. UBA allows user activity to be
analyzed, much in the same way a fraud-detection system would monitor a
user's credit cards for theft. UBA systems are effective at detecting
meaningful security events, such as a compromised user account and rogue
insiders.

Although many UBA systems can analyze more data than just user profiles,
such as devices and geolocations, there is still an opportunity to enhance
the analytics to include even more data points that can increase the
accuracy of detecting a breach.

"Today, there are certainly commercially viable applications of analytics
to better position security technologies, such as with SIEM and UBA
providers," says Ahlm. "However, the applications or other problems that
can be addressed for other security markets are still emerging and on the
whole, the security industry is rather immature in the application of
analytics."

Bigger the net, the bigger the haul

As security analytics platforms grow in maturity and accuracy, a driving
factor for their innovation is how much data can be brought into the
analysis, according to Gartner. Today, information about hosts, networks,
users, and external actors is the most common data brought into an
analysis. However, the amount of context that can be brought into an
analysis is truly boundless and presents an opportunity for owners of
interesting data and the security providers looking to increase their
effectiveness.

Analytics systems, on average, tend to do better analyzing lean, or
metadata-like, data stores that allow them to quickly, in almost real-time
speed, produce interesting findings, according to Gartner.

The challenge to this approach is that major security events, such as
breaches, don't happen all at once. There may be an early indicator,
followed hours later by a minor event, which in turn is followed days or
months later by a data leakage event. Gartner says that when these three
things are looked at as a single incident that just happens to span, say,
three months, the overall priority of this incident made up of lesser
events is now much higher. This is why "look backs" are a key concept for
analytics systems.

"Ultimately, how actual human users interface with the outputs of large
data analytics will greatly determine if the technology is adopted or
deemed to produce useful information in a reasonable amount of time," says
Ahlm. "Like other disciplines that have leveraged large data analytics to
discover new things or produce new outputs, visualization of that data will
greatly affect adoption of the technology."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!