Grafvision - Fotolia

Get started Bring yourself up to speed with our introductory content.

Advanced security analytics safeguards the enterprise

Advanced security analytics uses information gathered from SIEMs and other security tools to safeguard the enterprise. Learn how advanced analytics works and what's coming next.

As with so many ideas, intelligent cybersecurity first cropped up in science fiction.

If you were around in the 1980s and 1990s, you remember the cyberpunk subgenre, which explored the implications of machine intelligence and virtual reality -- particularly in the context of cybersecurity and information warfare.

And as we've seen, ideas that originate in science fiction tend to become reality within a few decades. The "communicators" of the 1960s Star Trek TV show exist today in the form of smartphones. (Martin Cooper, the Motorola engineer who developed the first mobile phone, was actually inspired by what he saw in the TV show.) Similarly, the cyberpunk visions of the 1980s are starting to become real in the form of advanced security analytics, which holds the promise of protecting enterprise organizations against the most sophisticated attacks, including advanced persistent threats.

Hierarchy of security

The best way to understand what's going on with advanced security analytics is to think about security technologies in the triangular form of Maslow's hierarchy of needs. At the base are protection systems: firewalls, secure web gateways, antimalware, identity and access management, and data loss prevention. Tools at this level scan for malicious code and monitor for unauthorized access to various resources. A key characteristic of protection systems is that they emphasize protecting a specific type of resource, system or attack vector. These tools are essential, but not sufficient -- there has to be some way of coordinating and mining the information they collect.

The key characteristic of these advanced analytics tools is that they take a holistic view of the enterprise.

The next level up consists of detection and monitoring systems, such as security information and event management products (SIEM) and intrusion detection systems and intrusion prevention systems (IDSes/IPSes). The key characteristic of these advanced analytics tools is that they take a holistic view of the enterprise. SIEM and IDS/IPS tools monitor and manage what's going on across multiple resources and systems, including the security tools. As such, they build on and integrate into protection systems.

But there's a catch: SIEM and IDS/IPS tools collect enormous amounts of data. Even though they filter the data, analyzing it can be a task that literally isn't humanly possible. Large enterprises report that their SIEM and IDS/IPS products generate as many as 500 false-positives per day -- a number that's simply not possible to validate and check manually. That's where advanced security analytics comes in.

What advanced security analytics offers

Advanced security analytics is a higher layer of systems that integrate into existing products and automate the analysis via machine learning and big data techniques. This approach enables information security professionals to take action on the issues that truly represent a breach or threat.

There are several different types of products that fall within the category of advanced security analytics. Security operational intelligence tools, such as Splunk, permit users to uncover connections between events. Behavioral threat analytics tools analyze the behavior of users, devices and systems in the environment to uncover anomalous behavior that may represent a threat.

Security analytics tools typically get their inputs from the data and feeds of other tools and systems, including SIEM, IDS/IPS and a range of others -- firewalls, secure web gateways and the like. Where they tend to differ is where they focus -- on contextual analysis of insider threats, for example, or maybe on the translation of threat to business risk.

Regardless of focus, these advanced security analytics tools attempt to tease out which incidents, or patterns of incidents, represent an actual threat. Through machine learning, artificial intelligence and integration with other security solutions, they can reduce false positives by several orders of magnitude -- making the problem something security professionals can address manually.

But they won't stop here. The next frontier of advanced security analytics is predictive analytics -- not just detecting threats as they occur, but accurately predicting the threats that will hit tomorrow and the business risk they will pose. That will, in turn, enable security professionals to move from reactive to proactive mode. Or, as some would put it: to boldly go where none have gone before. 

Next Steps

Learn how data collected via the internet of things can be analyzed

Learn about big data security analytics in the enterprise

How advanced analytics is shaking up business operations

This was last published in November 2016

Dig Deeper on Data security technology and strategy