Security Analytics Facilitates a Risk-based Approach to Security

As organizations realize that the threats to their valuable data assets are increasing despite more security tools in their environment, the focus in the industry is shifting to a response-based, risk-led approach. In this backdrop, security analytics is gaining considerable traction. Ryan Stolte, Co-Founder and CTO at Bay Dynamics, dispels some of the confusion in this space and explains why the different security tools in an organization must be integrated and made context-aware to be more effective.

Q. Security analytics (SA), where Bay is primarily positioned, seems to be the flavor of the season. How large is this sub-segment of InfoSec and what are its growth trends?

Security analytics is a rapidly growing space. According to MarketsandMarkets, the security analytics market is estimated to grow from USD 2.83 Billion in 2016 to USD 9.38 Billion by 2021, at a Compound Annual Growth Rate (CAGR) of 27.1%. The research firm also says that North America is expected to hold the largest share of the market in 2016 due to the technological advancements and early adoption of security analytics in the region.

It’s important to point out, however, that there is confusion within the cyber security industry, both on the vendor and end user business side, about what is security analytics. Security analytics is not the same as user and entity behavior analytics (UEBA) nor a SIEM. Many vendors and companies use the terms interchangeably when in reality they are very different. As a result, companies waste time, leave gaps in their visibility, hinder their ability to execute and ultimately fail to minimize their cyber risk. The misconception is detailed in a recently released Forrester report. UEBA and SIEM tools are components of a security analytics platform. Security analytics involves analyzing and correlating information coming from companies’ existing security tools, adding a layer of UEBA and contextual business information, and then sending prioritized threat and vulnerability information to the stakeholders (incident responders, line-of-business application owners) who can take action to mitigate the risk. The platform prioritizes threat and vulnerability information based on businesses’ most valuable assets at risk so that incident responders and line-of-business application owners only spend time investigating the most critical threats and patching vulnerabilities that could lead to a compromise of the crown jewels.

Businesses are increasingly using security analytics for cyber risk reduction because the solution facilitates a risk-based approach to security, which is a shift from where the market was just a few years ago. Whereas cyber security was mainly viewed as a “techie” task that only involved the IT and security team putting up firewalls and other siloed technologies, today companies - from the security team up to the board of directors - view cyber security as a risk management issue. They need a measurable, traceable and automated way to prioritize threats and vulnerabilities based on the value of the assets at risk and get everybody, including line-of-business owners who are not on the security team but govern valued assets, participating in cyber risk reduction. Security analytics enable that approach and help companies get the most value out of their existing security investments by making sense of the information coming from their security tools.

Q. Will SA obviate the need for the existing SIEM tools that many companies already have? If yes, why; if not, why not?

SIEM tools complement security analytics. A security analytics platform collects, analyzes and correlates information from companies’ security tools, which includes a SIEM tool, so that IT and security leaders as well as other stakeholders within companies have visibility into the most pertinent information related to their cyber risk and can take mitigation action accordingly.

Businesses can only do so much with a SIEM. It’s a highly intensive, laborious task to store, process and retain thousands of daily events. Security managers spend a third of their day making sure SIEM agents are up and running correctly, which many times they are not. They are so busy trying to keep up with log files, they cannot even leverage their SIEM’s limited analytics capabilities. If they do use them, security managers must create rules telling the tool what kind of suspicious activity they are looking for such as, “show me every time an administrator created and deleted a temporary asset directory in a 24-hour period.” The sources of log data constantly change with new devices coming in and out, routers switching, new servers, etc. so it takes even more time to adjust the rules.

SIEM is a valuable tool for some SOC functions but it should not replace a security analytics platform. It is merely one part of the security analytics picture.

Q. According to some industry experts, security monitoring tools have failed to detect the most critical data breaches in recent times. As such, these seem to be nothing more than compliance-satisfying activities for organizations. How do you think can CISOs remedy this situation?

It is not so much that security tools didn’t detect the intrusion, it’s more so that the alert was there, but was overlooked due to the abundance of noise and mislabeling of the severity of security events. Responders receive alerts generated by tools without any other context so they don’t see a full story. Individual high severity alerts may not be important, but it’s impossible to know without context. While low severity alerts may be important when viewed in the context of other activities or in the context of the value of the asset at risk. If individual events were weaved in with other data such as whether or not the event affected a valuable asset and if the person who accessed the valuable asset had a business purpose to do so, responders would know immediately whether the event is indeed urgent and needed to be investigated immediately.

That’s exactly what security analytics platforms do. They marry threats with the kind of context needed for incident responders to know which ones need immediate investigation and for line-of-business application owners to know which vulnerabilities need patching first, all based on the value of the assets at risk. Security analytics platforms eliminate false positives and create a high quality list of only the threats and vulnerabilities that could lead to a compromise of companies’ crown jewels.

Q. While UEBA (user and entity behavior analytics) can help assign risk scores, ultimately, the decision to be taken based on a score is itself a risky proposition wrought with difficulties. Your comments?

IF UEBA is used alone to assign a risk score, responders will be flooded with false positives and noise. UEBA is a threat detection tool. It identifies suspicious user behavior but lacks the other context needed to determine if indeed the organization is under attack. For example, a UEBA tool will alert responders if an employee accesses a database he typically would not access, however it does not include context such as the value of database at risk and if there’s an associated vulnerability that could enable that threat to succeed. Without that kind of context, responders do not know which event alerts to chase down first. They cherry pick the ones they think are the most important only to find out after the fact that those alerts ended up being business-as-usual activities. So, UEBA could assign an employee a risk score, however the score may be completely inaccurate because the other side of the puzzle – the context side that indicates if that person’s behavior truly puts the company at risk of a breach – is missing.

Q. A lot of companies, especially in a nascent market such as India, have not really done a data asset prioritization exercise nor do they have strong data governance policies/practices. Are they fit to use an SA platform or tool or should they first put their house in order with data prioritization, access rights and roles, etc.?

Security analytics works best in a large enterprise environment that already has a somewhat mature information security program. Companies need to have security tools already in place such as data loss prevention technologies, SIEM, firewalls and others. Security analytics platforms automate the prioritization of threats and vulnerabilities, but need to be integrated with existing security tools in order to be the most effective.

Q. For most organizations, the cost of security is going up but the threats or potential for breaches are not coming down, even with new investments in new security tools. Why is that so and what should be done in this regard?

The problem is that too many companies keep investing in point solution security tools and do not integrate them so that they are working together. You know the saying, “It takes a village.” That principle also applies to cyber risk management. One security tool alone cannot thwart every data breach. Companies need a portfolio of security tools that are interconnected and working together, not operating in siloes only protecting their piece of the puzzle. It’s a daunting task to piece through the insurmountable information coming from existing security tools, trying to figure out how it all fits together into one complete picture. For example, a SIEM identifies an event that could look like an attack in progress. However, there’s no other context such as is the threat to a valued asset and is there an associated vulnerability. Security teams get hundreds of those kinds of events and do not know which ones to chase down first. They are also manually following up on event alerts and identified vulnerabilities, which takes countless hours, and gives criminals plenty of time to complete the attack.

Companies also need to shift from a technology-based to a risk-based approach to security. Boards of directors understand the language of risk and they are the main drivers of companies’ cyber risk management programs. Security executives need to identify threats and associated vulnerabilities to the company’s most valued assets and then apply security resources accordingly. They need to report to the board metrics that are understandable, truthful and traceable so that board members can make informed decisions about the direction of the company’s cyber risk management program.

Finally, security must be everybody’s business. Line-of-business application owners who govern companies’ most valued assets, must be held accountable for remediating vulnerabilities and providing context to threats to those assets. CISOs merely quarterback the process.

Q. In your opinion, is it necessary for a CIO/CISO to deal with dozens of security vendors for multiple solutions or can they bring down the number to a more manageable count, say, in low single digit. In case of latter, what tips or advice can you offer them?

Look for companies that use the “plain English” rule. The ones who clearly explain what they do, outside of the acronym-mania and latest trendy tool, are the ones to focus on first and foremost. You should also look for vendors who can offer a comprehensive solution that leverages the security investments you have already made. Don’t just keep tacking on point solutions. Identify where your crown jewels live, evaluate the protections you already have for those assets, and then look at solutions that can tie together and make sense of the information coming from those tools.

Categories: Technology

About Author

Orange Themes

Sanjay Gupta

Sanjay Gupta is former Editor at Grey Head Media....

Read more

Write a Comment

Your e-mail address will not be published.
Required fields are marked*


Recent Comments