The continuous evolution of attack tactics and poor threat visibility keeps cyber defenders on their toes, especially when adversaries exploit the human mind with tactics such as phishing and using individually crafted, short-lived weaponizations. As a result, more and more security organizations are prioritizing the use of security analytics to quickly and accurately identify attacks and act before major damage is done.

Why a Fragmented Approach Doesn’t Work

This movement into security analytics is not without its hitches, especially when organizations acquire a fragmented set of analytics tools. At first glance, it seems logical to have separate analytics for networks, endpoints, users, cloud and applications. Highly specialized tools can produce some promising new insights in a small amount of time.

However, when each of these tools is producing high-volume data and individual alerts, analysts must constantly switch between different screens. The result is often a substantial increase in operational cost and time to investigate, scope and decide on remediation steps.

Part of this problem can be tactically reduced by using automation and orchestration, but the real problem arises when the organization is looking to increase the quality and depth of detection by using behavioral analytics or machine leaning, which require a broad, mixed amount of data and substantial training time. While fragmented tools may be good at producing an individual alert, sharing all the underlying data often remains proprietary to the individual tool, preventing organizations from moving to advanced machine learning-based detection. A third problem is the overhead in data management and administration of all these individual tools.

Embrace a Platform-Based Approach to Security Analytics

To avoid this trap, security teams should consider a platform-based approach whereby data ingestion, correlation, management and a broad set of analytics can be tied together. Solid correlation within the entire data stream offers great perspective for moving into more mature detection.

For instance, let’s say an organization wants to increase visibility into service accounts — i.e., accounts used by administrators to configure an application or tool — which are often targeted by adversaries to steal the business’ crown jewels. Not only is the service account login information required, but also other information to identify the real original user, such as where they accessed the account from, what time they accessed it, what other tools they were using and other actions they executed.

This combination requires a lot of correlations, both at the data intake level — adding system name and user name to network data — and downstream at the detection process, such as connecting and measuring individual anomaly events into a risk metric (i.e., combining abnormal process started with abnormal network traffic and user activity outside peer group activity). This level of advanced correlation is almost impossible using fragmented tools because it requires a common reference set of all users, assets, networks and system names — which, in today’s enterprise environment, doesn’t exist or is below satisfaction.

Security analytics offers many benefits to detect, investigate and respond to threats. However, to move toward deep, advanced analytics using artificial intelligence (AI) and machine learning, fragmented tools should be replaced with a platform-based approach that can leverage a broad set of data.

Register for the Oct. 24 webinar

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…