High profile security breaches are at an all-time high. The threat has finally reached the boardroom, and we’re seeing increased security spending. Funds are increasingly getting channeled to security analytics platforms, which aim to bring situational awareness to security events by gathering and analyzing data.
With security analytics becoming a hot topic in the industry, at Black Hat USA 2016 we caught up with Ryan Stolte, co-founder and CTO at Bay Dynamics, to get his perspective on cyber security and risk from the inside out.
Misconceptions about security analytics
“Many cyber security experts, which include vendors and in-house security teams, equate security analytics to SIEM and user and entity behavior analytics (UEBA). They use the three terms interchangeably as if they are all one of the same and solve the same problems. As a result, companies waste time, leave gaps in their visibility, ability to execute and ultimately fail to minimize their cyber risk,” says Stolte.
While all three technologies can work together to help companies reduce risk, they are very different when used on their own.
“UEBA is a threat detection tool. IT and security executives have been underwhelmed by vendors promising UEBA as the key to combatting insider threats when in reality it is an important piece of the puzzle, but only one piece. It identifies risky or unusual behavior but lacks the context needed to decipher whether or not a threat is important. That context includes if the threat is to an asset that is highly valuable to the company and if there’s an associated vulnerability,” he says.
Companies today mainly use SIEM tools for log management. They collect events coming from routers, switches, firewalls, network devices, security tools and every other piece of infrastructure that generates a log.
“Security managers spend a third of their day making sure SIEM agents are up and running correctly, which many times they are not. They are so busy trying to keep up with log files, they cannot even leverage their SIEM’s limited analytics capabilities. If they do use them, they have to have significant data skills to create rules to tell the tool what kind of suspicious activity they are looking for. The sources of log data constantly change with new devices coming in and out, routers switching, new servers, etc. so it takes even more time to adjust the rules,” says Stolte.
Security analytics is a more comprehensive concept that brings together multiple analytic methods, including UEBA, and provides a mechanism for non-data scientists to get insights from the data.
“A security analytics platform collects, analyzes and correlates information from companies’ security tools, so that IT and security leaders as well as other stakeholders within companies have visibility into the most pertinent information related to their cyber risk and can take effective action. It also gives traceable and accurate data that IT and security executives can bring to their boards of directors so that they can make informed decisions related to the company’s cyber risk,” he says.
What makes a robust security analytics tool?
As with every popular technology in the industry, there’s an army of marketers trying to embellish every single feature, and those not entirely familiar with the offerings can easily make a choice that will not align with the needs of their organization. So, what’s relevant, and what’s not?
“A robust analytics tool is a complex platform that brings together data from many different third party and custom systems, enriches that data with analytics like UEBA and value at risk, and presents it out to the user in an integrated, cohesive, understandable view. The process of elegantly ‘simplifying’ all of that data and analytics is highly complex, but should not be the administrator’s or end user’s problem. Integrations, analytics and presentation should be as configurable as possible through an intuitive user interface, and not a science project that takes months to stand up and run,” explains Stolte.
Hiding complexity is critical, but to succeed in the large enterprise over the long term also requires extensibility to integrate with enterprise systems like GRC and service management, and the continual augmentation and extension of analytics capabilities.
“To programmatically prioritize and take action against threats and vulnerabilities requires robust IT asset data, including technical asset profiles, the connections between data, infrastructure and applications, and the directory of key contacts associated with each. This is a challenging domain for large enterprises, but is critical to connecting the dots and enabling automation. In the absence of this kind of data, it is extremely difficult and time consuming to connect the dots between threats, vulnerabilities, and asset value, as well as knowing who is responsible for action,” he explains.
“Finally, security management and awareness can no longer be limited to the SOC. It needs to everybody’s business. The only way to enable that idea in a manageable way, automation needs to be introduced to the equation. Automation should include the bundling of all relevant information and the distribution of that information to the right person, when they need it. That includes classic SOC and responders, but also includes application owners and IT stakeholders.”
The importance of security analytics
As security analytics platforms become more mature and more accurate, the amount of data that can be included into the analysis becomes crucial, and elevates their importance in the overall security architecture of an organization.
“A security analytics platform takes all of the information coming from those tools, makes sense of it, and then delivers only the most pertinent cyber risk information to the stakeholders who can take action to reduce risk. Due to this capability, security analytics platforms enable IT and security executives to get the most bang for their buck on the tools in which they already invested,” says Stolte.
Without a security analytics platform, security teams are overwhelmed with the amount of information coming from their siloed tools and they cannot connect the dots. They don’t know where to start when it comes to patching a vulnerability or investigating an alert.
“Security analytics platforms clear the chaos because they prioritize the information based on all the available information. For example, if a UEBA tool spots unusual access to a system that contains valuable information, the security analytics platform will marry that threat with other context such as the value of that system at risk and whether the individual was indeed given access or not. If it is a high value system and the user was not given access, then the alert will get bumped to incident responders in the SOC and mark it as a high severity threat that needs investigating immediately,” concludes Stolte.