Big data security analytics is built on a combination of technologies that provide organizations with the ability to collect and integrate large volumes of data, apply analytic techniques to discern rare anomalous events and enable investigation and mitigation activities. Some of the most difficult implementation issues faced by this approach to cybersecurity occur around data integration. How, for example, can an enterprise determine if two seemingly benign events are actually connected to a malicious activity?
This kind of knowledge-intensive analysis was at one time the domain of infosec experts with years of experience. Today, advances in machine learning and statistics enable the automation of some aspects of security data integration.
Enter the Cybereason Detection and Response Platform, which leverages a big data security analytics engine to perform such tasks as behavioral analysis of potential threats. Cybereason incorporates multiple methods of data integration to identify and correlate malicious events to help organizations better secure their enterprises.
Cybereason's security analytics platform uses collection agents that run in the user space of operating systems on endpoint devices. By avoiding kernel level agents, which are programs that run in the lowest and most trusted level of the operating system, the collection agents are able to function with minimal impact on device performance -- 1% to 3% CPU utilization is not uncommon. The agent collects a variety of data, including: file access details, process actions, configuration changes and network events. Data is stored in a centralized in-memory graph database that enables both high flexibility with regards to modeling different types of entities and their relations and high performance analysis.
The big data security analytics platform uses three broad classes of detection techniques: threat intelligence, guilt by association and machine learning.
Threat intelligence is used to detect known malware and malicious activities, such as communicating with a known malicious IP address. The second technique, based on interaction of other events and processes with known malicious software or processes, is a good indicator of malicious operations. This heuristic, known as guilt by association, is one way to expand the list of known malicious software or agents. For example, if a known malicious IP address establishes a session on a port address that is not typically used, then the software listening on that port is probably malicious. Finally, machine learning techniques are used to develop classifiers that can distinguish normal, or typically, network events from anomalous and potentially malicious activities.
A crucial part of the Cybereason Detection and Response Platform, and the core big data analytics component of the product, is the Malop Hunting Engine --Malop is short for malicious operations. The engine collects real-time data via the platform's Silent Sensors on endpoint devices; the data is then signed and stored for machine learning behavioral models, which analyze the data for new threats, anomalies, risks and non-signature-based attacks.
Data integration is also a fundamental enabler of Cybereason's ability to help infosec professionals see the full scope of an attack. By integrating multiple forms of security event data, and making it accessible through a centralized interface, infosec professionals can query the scope of devices involved, review the timeline of events and assess different mitigation strategies.
Cybereason's interface is designed to leverage the skills of non-expert infosec professionals. Although less-experienced professionals may not have the knowledge of their more seasoned colleagues, by collecting, integrating, analyzing event data, the Cybereason platform frees them from the more mundane aspects of data collection and analysis.
The interface is known as Cybereason's Incident Response Console. It is designed for easy navigation around the five dimensions of an attack: timeline, root cause, adversarial activity, communication, and affected users and endpoints. In addition to the core data about an attack, the Incident Response Console can incorporate additional context data about events.
Cybereason can be deployed to an organization's servers on premises or as a cloud service. More information on pricing and platform versions can be obtained by contacting the vendor.
Cybereason's big data security analytics platform focuses on automated detection of malicious activity, streamlined analysis and investigation and support for collaboration among infosec professionals. This platform is well suited for large and midsize enterprises and those with demanding infosec requirements. The combination of multiple detection techniques mitigates the weaknesses inherent in any single technique. For large scale deployments, consider consulting with one of Cybereason's partners to assist with planning and deployment.
In part one of this series learn about the basics of big data security analytics
In part two discover the business case for big data security analytics
In part three find out how to evaluate big data analytics platforms
In part four compare the top big data security analytics products