Why You Need a Healthy Mix of Security Analytics to Investigate Threats

Effective threat management requires security teams to combine security analytics with the abundance of machine-generated data that is prevalent in most enterprise environments. Tools such as network traffic analysis, endpoint detection, security information and event management (SIEM), and user behavior analytics (UBA) harvest this data and reveal who is doing what in the IT environment and when and how they’re doing it. This mix of data can help uncover unknown threats, but it can also confuse some security operations professionals who are not familiar with it when the data is only partially displayed.

For instance, a network link analysis diagram — or, more simply, a list of network connections — can be very informative because it shows critical data sources, but it can also be overwhelming with its thousands of raw connections and IP addresses. Let’s take a look at some common data sources and explore why security teams really need to combine them all to generate a complete picture for detection, investigation and response.

5 Criteria for Advanced Threat Detection

Security analytics sources and methods can be split into three essential security views: who, where and what.

  • Data related to the “who,” often labeled as user and access analytics, provides insights into various identities, related activity, and accessed data or applications. Recently, behavioral monitoring was added to this group to help surface insider threats.
  • The second group, “where,” is best derived from endpoint-based analytics. This data reveals activity and changes on a specific system (client, server, virtual machine, etc.).
  • You can understand the “what” by using network analytics to monitor which applications, machines and users are active on the network and what data they are accessing where.

Register for the Webinar to Learn More About Network Traffic Analytics

Each of these methods offers some advantages from a security operations perspective. Let’s take a deeper look by evaluating five common security operations criteria: deployment, data management, detection, security intelligence for investigation and response.

1. Deployment

Any analytics solution and the related data sourcing requires some level of planning before use. That's where network analytics come in. Packet or network inspection sensors can be easily deployed on an egress point of the network to provide relevant, quick insights. Customers can even start by using native flow instrumentation to quickly get insights without major deployment efforts.

Endpoint monitoring, on the other hand, is somewhat harder because clients first need some agent technology to extract system activity. Plus, they may need to store it locally in case a client or laptop is not connected. User monitoring is also crucial because the deployment effort may require log collection from many sources, often with strict needs for log generation setup, collection and interpretation.

2. Data Management

Purely judging by volume, user analytics may be the easiest criterion since logs are somewhat more concise and an essential level of visibility can be obtained with a relatively low volume of data. For instance, a security engineer can use Active Directory (AD) data to quickly figure out who accessed the IT environment and when. However, for advanced threat detection, solutions such as behavioral monitoring and threat hunting, user activity monitoring can become too complex because it requires a lot of data from all levels of IT infrastructure, such as where the user came from, whether there were anomalies on the client system and how the user compares to others in the same group.

The bottom line is that for basic analytics and compliance, user monitoring may require the least amount of data management. However, advanced use cases are much more complex and require a lot of data, retention and semantics.

3. Detection

Most advanced security operations centers (SOCs) are time-driven because earlier detection reduces the impact of an attack. Endpoint detection has some advantage since this is where most advanced or unknown threats exploit systems. Network detection is also an option, but according to the attack life cycle, it's more effective post-exploitation to detect activities such as lateral movement, or even when data is being extracted. When you see users behaving abnormally, it may be too late — their identity may already be compromised, or the anomaly could be a result of human error, which is hard to analyze in a vacuum.

4. Security Intelligence

IT environments change continuously, and security teams need to be able to find and understand new blind spots quickly. The process of surfacing unknown enterprise corners is often called enterprise security intelligence, a must-have during an investigation.

Network analytics are hugely helpful here: All you need to do is turn on the deep network monitoring at the edge of the network to see where data is coming from, where it is going and what type of data is being transferred. As they say, the network never lies. Smart network analytics tools aggregate the data and produce an accurate inventory of who is on the network and when, which you can use during the investigative workflow. Endpoint and user monitoring doesn't always offer this advantage since it requires some setup and can even be turned off by adversaries.

5. Incident Response

As soon as an attack is spotted, the next step is, naturally, to respond. Assuming the majority of advanced threats today are malware-based, endpoint detection is useful but lacks sufficient network and user views. That's why you should use endpoint analytics to scope and isolate the infection balanced with user and network views to validate the eradication process and determine whether the attack impacted any related systems or users.

Increase Speed and Accuracy With Integrated Security Analytics

As you can see, network and endpoint detection are crucial to gain the level of visibility into user and network activity organizations need to respond to attacks. Along with user analytics, security teams need a healthy mix of this data — and the ability to pivot quickly from one to another — to conduct a successful investigation.

Sounds like a job for a battle-tested SIEM solution. The most advanced tools ingest network, endpoint and user activity data and produce myriad forms of analytics. More importantly, a robust SIEM solution melds and contextualizes these sources of data to inform the security team's integrated viewpoint and workflow. Only with this complete picture can security teams investigate and respond to attacks with the speed and accuracy necessary to keep up with today's threat landscape.

Bart Lenaerts

IBM Product Marketing

Bart started his career as a network systems analyst working for a large financial organization in Belgium. In 1999 he...