​The increasing importance of security analytics

Author: Simon Howe, Director of Sales ANZ, LogRhythm

Analytics tools are being put to use by businesses across a range of industry sectors, and now many are discovering their value in the area of IT security.

Able to sift through large volumes of data in a short period of time, analytics tools can spot occurrences and trends that would go unnoticed by humans. They are regularly used by retailers to monitor sales patterns, by banks to spot fraud, and by governments to improve the targeting of services.

Purpose-built tools

In the area of IT security, analytics tools have been purpose built to assist human analysts better detect, respond to and mitigate the impact of cyber threats.

The tools work in a different way from those used in other areas of a business. Rather than trying to identify trends, they use complex mathematical calculations and statistics to spot anomalies in data. The tools can also help to determine whether any anomalies found have security implications or are simply a result of a normal operational matter.

Security analytics tools also make use of User Entity Behavioural Analytics (UEBA) and machine learning to understand what is authorised activity within an IT infrastructure and what could be a security breach. These items can then be flagged for closer attention by a human.

Size doesn't matter

While making use of security analytics is clearly valuable for large businesses with complex IT infrastructures, it can also add significant value to smaller firms.

Regardless of an organisation's size, security threats can have an impact on operations, customer service, market reputation and brand as well as customer trust. Reducing the likelihood of a successful intrusion by using these tools is therefore vital.

While it's well known that prevention mechanisms such as firewalls can stop a large number of threats, they can only go so far. Zero day and insider attacks remain an issue and are hard, if not impossible, to stop using prevention techniques alone. Security analytics can go a step further and detect anomalies and occurrences that would otherwise go unnoticed. Even small firms should consider investing in the technology.

Security analytics and networks

One of the most effective areas in which security analytics can be put to work is within an organisation's data network. Because the network touches everything from servers and storage to applications and users, it is a key target for cyber criminals.

A first step is to understand what 'normal' activity on the network looks like. This includes variables such as traffic volumes and bandwidth usage as well as file access patterns. Analytics tools can then monitor for events that fall outside this normal behaviour and alert security analysts when they occur.

Of course, for the monitoring to work effectively, the organisation will need to have in place people skilled in the use of the analytics tools. These analysts will need to have experience in everything from incident response and forensic analysis to malware analysis and threat investigations.

Often such skill sets can be hard to find. One option is to train existing system administrators so they can make full use of the security analytics tools. A second is to outsource the function to a third party security firm which can take over the monitoring and response function.

The role of hardware

While security analytics is clearly software based, it is also important to consider the hardware side of the equation. When it comes to security, having visibility is key and this is best achieved at the hardware layer. Notably also with hardware based solutions you have a dedicated and predictable set of resources compared with a virtual environment where there may be a risk of shared resources impacting the performance of the system.

Consideration also needs to be given to where the hardware is located as this will have an impact on the way in which security analytics is deployed and used. Alternatives include on-premise, hosted or a mixture of the two.

On-premise hardware is, in some ways, easier to monitor as the organisation has complete control over its deployment and management. It also means it can be upgraded and managed based on a set timetable. Deploying security analytics tools is therefore relatively straightforward.

Hosted or cloud-based platforms can be more difficult as the organisation is reliant on an external party which is likely to have its own security tools in place. A careful review of this capability should be undertaken before any hosting agreements are signed.

Perhaps the best approach is a hybrid of on-premise and cloud-based resources. In this scenario, an organisation can retain data and applications internally while at the same time taking advantage of cloud-based security analytics tools.

Next steps

Once a decision is made to adopt security analytics, it is important an organisation's IT team first undertakes comprehensive market research and assessments. There are a wide range of options available and it is important that the tools selected are the most appropriate fit.

It is also vital to undertake an IT audit to ensure that all components within the overall infrastructure can be monitored by the tools. There is little point in deploying security analytics that is unable to access all areas.

By properly deploying and monitoring suitable security analytics tools, an organisation can be confident it is achieving the best possible levels of protection against malicious cyber attacks.


Tags fraudcyber criminalshuman errorIT Securityzero daysecurity analyticsCSO Australiaanalytics toolsIT infrastructuresUser Entity Behavioural Analytics (UEBA)

Show Comments