Why use Security Analytics for the Enterprise?
If ever you have been involved in either a breach or an attack in your professional career the first thing you realize is what security analytics may have been able to early detect the attack. As the conspiracy theorists we all are, we believe that this is simply not attainable. In the larger picture you are right as the bad guys do something that we as industry professionals rarely do, they collaborate very well and share information. In order to ensure efficiency and accuracy for the security analytical dashboards and alerts you set up are key indicators of what could be happening and allow for proactive measures to be taken both before, during and while an event is occurring. Now, let’s get to why you really want to read this article: What are the steps we can take to make our tools first become better connected and evolve our security analytics and tools from a reactive to a proactive state?
First, let’s ensure we level set, this methodology requires executive buy in and investment in IT and IS departments. This will require collaboration with your business lines as well to ensure you are addressing the money makers for your enterprise/business. So, the first thing is learning from any issues or attacks and adding this intelligence into our platforms to alert at proper thresholds. I am a big fan of using standard deviations which allow me to baseline traffic on platforms, like a SIEM (Security Information and Event Monitoring), based on a control set of data ranging from hours to months as needed. I would not recommend years as this could take a while as well as the cycles that the device would need to take from normal processing. This gives organizations an early detection capability for network as well as device level events to ensure proper health or in early detection of a DDoS or outage.
Another perspective for proper analytics would be to ensure to understand what your providers can do for you. Let’s take O365 and Azure. The user contextual information provided as users login from different geographical locales and password guessing is built in UEBA, User and Entity Behavioral Analysis. These are key analytics to set up for your tenant and are relevant as Microsoft has moved its enterprise licensing to O365 in their cloud. Similarly, AWS has very powerful security analytics as well built into their consoles. Shield services will allow for the power of AWS Security team to monitor your workloads and alert you. Guard Duty combines all your Cloud Trail Logs and VPC Flow Logs to allow you to set up your security analytics and use cases to alert you to potential attacks and misconfigurations as well. This service provided by Amazon allows threat detection across the environment both network and user anomaly based on a continuous basis. The caveat is that it will not look back, meaning that this is not a historical service you can use post incident, making it critical to be one of the fundamental security analytics services you must set up within your AWS tenant. Using the well architected framework to further analyze your environment and misconfigurations are an additional security analytics tool for customers to check their workloads against AWS security best practices before deploying them into production.
"Security analytics takes operational elements to the next level by applying the knowledge of how a hacker thinks to be proactive in the analysis"
As far as proactive controls to have, all organizations should have a vulnerability management program. This is one of the most critical programs to have analytics around a whole program. A vulnerability scanner should be set up to ensure that your applications and infrastructure allow reportable key risk indicators, KRI’s, of any vulnerable operating systems and software running in your environment. The key here is to stay on top of patching but from a security analytics you should be tracking key risk indicators as part of this which adds the next layer of security analytics needed in any environment. What this security analytics provides is the trend of the organization’s vulnerability and patching program. This is important along with others because what it provides is executive management a high level of what the company’s security posture is and an early indication of the security program needs given the trends detailed within this KRI’s. Of course, this is only one KRI but depending on the organization and the needs from the executive board there are many others that can provide a good overall insight into your security program and its maturity.
As you can see security analytics can be quite a broad spectrum of relational items but in the end, they provide the facts behind the story you are telling. Whether your story is to tell the proactiveness of your program through security analytics from your SIEM eventing and trending through standard deviations or the story to tell is regarding misconfigurations or user behaviors that through the analytics are showing the potential malicious actors, security analytics takes operational elements to the next level by applying the knowledge of how a hacker thinks to be proactive in the analysis behind these operational elements that would not be indicative of anything without the perspectives that security leaders put into it which is what makes it security analytics. Setting up requires time and patience, and frankly some trial and error to get the proper feedback and security analytics in place, but more and more regulatory and governing bodies are requiring that this be proofed out and provided as well as executive boards be provided high level visibility into security postures of the organization using the aforementioned security analytics.