Analytics
9/10/2013
09:36 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

7 Starter Steps For Security Analytics Success

Tips for taking security analytics practices to a new level

As organizations try to find better ways to improve their security practices, increasingly they're finding that the secrets to success are not written in runes in a faraway land. They actually exist right there in the enterprise, hiding away in log data, metadata, unstructured data, and plenty of other instrumentation data feeds pumping out information constantly for those willing to harvest and examine them.

Homing in on the right data and scientifically drawing conclusions that mean something to IT and the business isn't easy. But with some focused effort and creativity, it is possible to quickly improve analytics work to better understand IT risks and adjust security practices for better protection of business assets. Here's how the experts recommend building up improvements.

1. Don't Assume SIEM Has Your Analytics Needs Covered
As many organizations seek to take their analysis of security-related to the next level, it may be time to reimagine what data sets they're using to do that analysis, says Ed Bellis, CEO of Risk I/O.

"People often believe they have security analytics covered because they have SIEM or log management, but there are so many different pieces of data that you need to look well beyond your logs," he says, explaining that everything from HR records to fraud data that traditionally falls outside the scope of IT security provides meaningful intersections with IT security data. "I would also argue that we're not using the data we have anywhere near its full capabilities. It could be the unstructured data in your environment, the metadata in your environment or unstructured data outside your environment -- just being able to close that loop is important."

2. Don't Focus On Data About The Attacker
Taking the focus outside SIEM data also serves another purpose because much of the metadata, records data, and additional data about the network that more analytics practices lean on tend to be inwardly focused. Taking a closer look at the organization's ready state, rather than remaining constantly preoccupied with data about potential attackers, is a shift in thinking that many mature organizations these days need to take to get a better picture of risk, says Mike Lloyd, CTO of RedSeal Networks.

"Don't just think about the bad guy -- think about yourself," he says.

Lloyd says the best way to think about it is to imagine a classic war room with strategists moving pieces around a table with a map. Yes, the strategists are getting intelligence about enemy movements and moving those pieces on the map -- to him that's what SIEM has been doing with the logs. But there are two other critical pieces to the war gaming: force accounting and terrain mapping.

"If you don't know where your forces are, your war room is useless. And if you don't have a map of the terrain, you're not thinking about the problem the right way," he says, explaining that a map of the network acts as the terrain guide, and then an inventory of assets and defenses and their state stand in as the force accounting. "It's not just about the bad guys and what you can see in the logs -- it's about combining that with two other major feeds, which is how your stuff is organized and what the map looks like."

3. Measure What's Important To The Business
As organizations look for additional data feeds beyond log data, the organization's business position within an industry, its business processes, and its assets should all play an important role in deciding what to measure and analyze.

"I think it's important for a business to understand where they're positioned and what they're being attacked by. We are fairly good at handling things, like everyday script kiddies, target of opportunity attackers," says Michael Roytman, data scientist for Risk I/O. "But specific businesses have specific other attackers. That they probably need to develop practices around measuring how those are affecting them. It's that tiered approach of measuring what everybody's exposed to, and then deciding or at least making a guess about what's specifically unique about your data or your attackers so you can build out a practice on something that comes from an understanding of the business."

[Is IPS in it for the long haul? See The Future of IPS.]

4. Watch For Changes To Critical Infrastructure
Once you think about the business needs, it becomes easier to pinpoint critical assets that should be constantly monitored for red flags. According to A. N. Ananth, CEO of EventTracker, whether it is payroll servers, certificate servers, or particular local drives, these critical assets should be watched and analyzed for change.

"Changes should be grouped as either system changes/configuration changes or business knowledge changes," he says. "Because there shouldn't be many changes to these critical systems, it won't take much time to go through them. Grouping provides a lot of bang for your buck.

5. Do Presecurity Analytics
The more organizations begin to pull in a diverse set of data into their analytics operations, the more they'll see the imperfections of data. In order to get the best conclusions from data, it'll take work on the front end to clean up data and also use that clean-up effort to realize where there may be gaps in data collection, Lloyd says.

"As you combine these data sources together, you actually gain something really important: You can notice contradictions," he says. "As soon as you get a collection of assets from two different teams who operate independently in a company, you combine their worlds together, you realize they don't line up. You've got chess pieces that don't fit on the chessboard and empty parts of the chessboard with no chess pieces."

Combining data and then criticizing the data feed to improve its quality presents some good low-hanging fruit for honing analytics work, he says.

"If you start combining feeds, you can realize where the gaps are and realize you're not scanning all your hosts, you don't have all the network under control, you don't have logs in all the right places and so on," Lloyd says.

6. Leverage Internal Business Intelligence Experts
If your organization doesn't have the luxury to hire data scientists to look over and analyze security data, don't give up hope. A little creative thinking and intraorganizational bridge building could give your team access to people with similar skill sets.

According to Bellis, a good tack would be to cozy up with the enterprise's business intelligence team for help with analytics work.

"When it comes to business intelligence, they have their own data warehousing teams and things like that, and they've got a lot of expertise on staff that may not necessarily be trained in information security, but they certainly know the data analytics piece," he says. "Leaning on those organizations can give you a big jump-start, at least into a security analytics program."

7. Remember Security Data Needs Protecting, Too
The more data collection and analysis information a security team amasses, the more that those repositories themselves become a target for attackers. As organizations up their analytics game, they have to remember that their data could be juicier than a lot of corporate data because it could hold the secrets for unraveling that enterprise's defenses.

"If our security tools are less secure than our network is, they become a weakness that can be exploited by hackers," says Mike Heumann, senior director of marketing for the Endace division of Emulex. "For instance, thick client-based tools can present a security threat in that data is often loaded onto a laptop, which itself could be removed from the enterprise and later lost or penetrated. Keeping data in secure locations in the data center can help to eliminate these types of weaknesses."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.