If you were asked to name a current hot topic in security, would you say analytics? Chances are good that you might, especially if you’ve ever worked in an organization facing a cognitive overload situation. In addition to that data deluge, security teams face sophisticated adversaries, long and slow attacks, devious insider threats and successful phishing attacks. Daily incidents must be triaged and remedied in decreasing importance.
Security analytics can provide the vital signs needed to identify and rank these threats. Some analytical tools are excellent search engines that can be trained on security data, but without developing sophisticated queries accounting for multiple conditions, all they can produce are long lists of meaningless events — no basic prioritizations and limited network context. Such lists are then picked up by an insufficient pool of security analysts tasked with figuring out what, if anything, is going on. Is it a good day if you’ve found nothing?
Diagnosing Symptoms With Security Analytics
After listening to a video featuring IBM Senior Vice President John Kelly talking about cognitive solutions and Watson at MIT’s EmTech 2015 event, I couldn’t help but draw multiple parallels between health care and security industry challenges. Health care organizations face a limited pool of trained resources, including doctors, nurses, etc. Its practitioners must digest a huge amount of information in order to render accurate diagnoses. There are simply not enough hours in the day to treat all conditions even when working around the clock. Sound familiar?
What’s different about the security industry is that our patients (networks and infrastructure) don’t come to us complaining with a set of symptoms. Teams must employ sophisticated security analytics and other monitoring techniques to identify the case load. For example, their monitoring tools may flag a user account accessing a bunch of servers for the first time. Perhaps they detect an endpoint that is currently uploading more files to a system than it has within the last six months. Other solutions may reveal that a server is suddenly communicating with IP domains never before seen within the network.
These security symptoms are just that — symptoms. They could be the start of something new or a continuation of a previous incident pointing to a different root cause in the network. They might be completely benign (e.g., a new updating process, someone uploading family pictures over the weekend) or they could be really bad (e.g., a piece of malware dropping its payload).
It takes a skilled security operations center (SOC) analyst to investigate these circumstances. It’s similar to how skilled health workers consult patient histories, study current drug usage and more to identify the true illness and prescribe a treatment.
Two Types of Security Analytics
In both fields, there is a lot of learning that must take place to be effective. Insufficient depth of knowledge results in shortages of doctors or SOC analysts who are presented with more issues than they can typically handle. In security, it is time to start thinking about two types of analytics:
- Detection analytics: Identify when something isn’t right, correlate all related incidents and present threats in a prioritized manner. These capabilities are found within QRadar Sense Analytics.
- Diagnostic analytics: Identify the threat based on symptoms and present a prioritized list of resolutions based on previously observed or understood conditions. These capabilities are what Watson is doing in health care and what cognitive solutions are aiming for in security.
Both types of analytics are important for an effective security operations team to meet the challenges of today and tomorrow. So, the next time you are talking to vendors or partners on the eve a purchase decision, it might be worth asking to see their technology road maps — not only for detection analytics, but also for diagnostic analytics.