Introduction to security analytics tools in the enterprise

The need for security analytics tools

If a security breach or threat is detected, security analytics software can help by collecting network, log and endpoint data.

The 2013 Data Breach Investigations Report from Verizon found that 84% of successful attacks on IT infrastructures compromised their targets within hours, while 74% of attacks were not discovered for weeks -- and sometimes months or years. One of the reasons it is so challenging to detect attacks is they happen quickly. In addition, data indicating an attack is often dispersed across network devices, servers, application logs and endpoints.

This makes it difficult to analyze a breach in progress and even hinders the ability to assess its impact. Furthermore, according to a Ponenom Institute report, 55% of survey respondents that experienced a data loss could not identify for certain what data was stolen. Improving the speed of detection and analyzing the impact of an attack are key drivers to adopting security analysis and analytics.

How security analytics tools work

Security analytics tools help organizations implement real-time monitoring of servers, endpoints and network traffic, consolidate and coordinate diverse event data from application and network logs, and perform forensic analysis to better understand attack methods and system vulnerabilities. Taken together, these functions help security professionals assess how systems were compromised, which systems were affected and if an attack is still underway.

Security analysis tools do this by providing several broad services to meet the needs of security professionals. These include continuous monitoring, malware detection, incident detection and data loss reporting.

If a security breach or threat is detected, security analytics software can help by collecting network, log and endpoint data. This enables timeline and session analysis that can shed light on how the breach occurred and what systems were affected.

Common analysis tool features

A number of features are common to security analytics software. These systems gather data from server and application logs, endpoint devices, network packets and NetFlows. In addition, they include advanced analytic capabilities with regards to the packet and NetFlow analysis, as well as event correlation.

Expect to see analytic methods based on both rules as well as statistical or machine learning-derived analysis. A statistics-based method might detect anomalous behavior, such as higher-than-normal traffic between a server and a desktop, for example. This could indicate a suspicious data dump. In other cases, a machine learning-based classifier might detect patterns of traffic that's previously been seen with a particular piece of malware.

Security analytics tools also offer a single point of access to event data. The consolidated view is useful for implementing features -- such as timeline reconstruction and forensic analysis -- that support workflows for security analysts. They usually offer tools for compliance reporting, as well. And since visualization methods are almost always required for any complex analysis, expect to see those included in any security analytics product worth considering.

One of the most important aspects of security analytics software is integrating data from different devices and applications, as a single data source may provide insufficient information to understand an attack. For example, a security analyst may need to synchronize network packet data with application log data and endpoint device data to get a comprehensive picture of the steps used to execute an attack.

Support for regulatory compliance is another common feature in security analytics tools, as it is important to be able to demonstrate that proper security controls are in place, functioning and -- most importantly -- being used to mitigate the risk of breaches.

Deploying analytics and analysis tools

Security analytics tools are deployed as software, virtual appliances or hardware appliances.

A dedicated hardware appliance is an appropriate choice for high-traffic networks. Vendors can tailor the hardware and software configuration to the demands of security analytics. These include the need to process large volumes of network traffic -- steadily receiving high volumes of log data -- and to apply computationally intensive analytic methods to that data.

Software and virtual appliances are options when security analytics tools are installed and deployed on existing company hardware that is sufficiently powerful enough to keep pace with the load. These options are well-suited to cases where organizations have the available server capacity to host a security analysis system, and are reasonably confident that they have the computational power in place to scale the deployment to meet any potential increases in load.

Evaluation and costs

When evaluating security analytics tools, it is important to consider not just their analytic capabilities, but scalability and availability as well. Companies must anticipate the need to scale these implementations as traffic increases. Also, consider the need for high availability. If the security analytics platform is down for even a short time, informative events in an attack may be missed.

Cost is also a factor. Hard costs will include software licensing, hardware and training. Security analytics tools collect and preprocess data, but human judgment is still required to interpret the data.

It would also be prudent to take advantage of training from vendors to get the most out of a security analysis tool and to learn best practices from more experienced practitioners. A few crucial tips on how to efficiently filter data or create an insightful visualization could be well worth the time spent in training.

Be sure to anticipate harder-to-quantify costs, such as learning how to perform forensic analysis with the new tools and configuring the tools to collect data from existing security applications.

The need for security analytics tools is growing

Security analytics tools are becoming important as automated security measures such as antimalware and vulnerability scanning are becoming increasingly challenged by emerging threats. These applications complement, they do not replace, existing security controls, however.

The purpose of security analytics is to detect attacks as fast as possible, enable IT professionals to block or stop an attack and provide detailed information to reconstruct an attack. They do this by collecting, correlating and analyzing a wide range of data. These tools also provide analysis environments for forensic evaluations and attack reconstructions. That way companies can study the methods used and vulnerabilities exploited to breach their systems and address weaknesses. Support for regulatory compliance is another common feature.