Effective threat management requires security teams to combine security analytics with the abundance of machine-generated data that is prevalent in most enterprise environments. Tools such as network traffic analysis, endpoint detection, security information and event management (SIEM), and user behavior analytics (UBA) harvest this data and reveal who is doing what in the IT environment and when and how they’re doing it. This mix of data can help uncover unknown threats, but it can also confuse some security operations professionals who are not familiar with it when the data is only partially displayed.

For instance, a network link analysis diagram — or, more simply, a list of network connections — can be very informative because it shows critical data sources, but it can also be overwhelming with its thousands of raw connections and IP addresses. Let’s take a look at some common data sources and explore why security teams really need to combine them all to generate a complete picture for detection, investigation and response.

5 Criteria for Advanced Threat Detection

Security analytics sources and methods can be split into three essential security views: who, where and what.

  • Data related to the “who,” often labeled as user and access analytics, provides insights into various identities, related activity, and accessed data or applications. Recently, behavioral monitoring was added to this group to help surface insider threats.
  • The second group, “where,” is best derived from endpoint-based analytics. This data reveals activity and changes on a specific system (client, server, virtual machine, etc.).
  • You can understand the “what” by using network analytics to monitor which applications, machines and users are active on the network and what data they are accessing where.

Register for the Webinar to Learn More About Network Traffic Analytics

Each of these methods offers some advantages from a security operations perspective. Let’s take a deeper look by evaluating five common security operations criteria: deployment, data management, detection, security intelligence for investigation and response.

more from Endpoint

IOCs vs. IOAs — How to Effectively Leverage Indicators

Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security […]

TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware

Malware authors use various techniques to obfuscate their code and protect against reverse engineering. Techniques such as control flow obfuscation using Obfuscator-LLVM and encryption are often observed in malware samples. This post describes a specific technique that involves what is known as metaprogramming, or more specifically template-based metaprogramming, with a particular focus on its implementation […]