At its core, security threat analysis is all about using mathematical and scientific principles to find threats...
in huge data sets. When threats were largely static and long-lived, organizations could rely on simple signature-based techniques to find them. But threats are now dynamic and short-lived, so organizations are forced to switch to finding anomalies and determining their significance. The enormous increase in the volume of security data sets has also necessitated heavy reliance on automation. The intersection of these two -- anomaly detection and automated analysis of huge data sets -- is where security threat analysis now resides.
Each security analytics platform or service uses math and science techniques to detect known and unknown threats. Here are some tips for ensuring you get the most out of the security analytics tool you're using.
Combine security threat analysis techniques
Combining analytical techniques improves results because each technique finds certain types of anomalies differently than others. You should use a security analytics platform or service that supports a variety of techniques and uses each one for the right reasons. For example, many techniques are statistics-based; these are generally best at finding simple anomalies -- such as a sudden, massive increase in network activity between an internal database server and an external host.
Other security threat analysis techniques use machine learning, which is a form of data science that enables computers to make decisions without having explicit instructions for how to make them. Machine learning employs statistical techniques and computer algorithms to make models of benign and malicious activity and then refines those models based on new information. Machine learning is great at defining patterns of activity and identifying future activity that matches those patterns. So, for example, if security analytics uses machine learning to identify a certain type of malware infection, it can use that pattern to find new malware infections.
Provide access to context information
Finding anomalies in a large data set is generally easy; finding the most important anomalies in a large security data set is incredibly challenging. Security analytics can't work well unless it determines the significance of each event with context. It must have up-to-date context information on every user, device, app, data set and other logical entity in the enterprise. For example, consider users. Just knowing each user's basic role could affect which behaviors are deemed suspicious. Other valuable sources of context include threat intelligence feeds and reputation services, which indicate the likely intent of external IP addresses, domains and websites.
Context enables security threat analysis to better differentiate benign anomalies from malicious ones, which reduces false positives and negatives. Context also helps estimate the relative importance of each malicious anomaly so responses can be prioritized. Make sure that your security analytics platform or service has access at all times to the latest internal and external context information.
Assist people with manual analysis
Although security threat analysis is intended to automate as much of threat identification and prioritization as possible, people often need to do their own analysis. Security analytics platforms and services can facilitate this by providing data visualization capabilities. Data visualization goes far beyond having a console for viewing information on anomalies. For example, data visualization should use advanced graphing techniques that help to highlight anomalies that might otherwise go unnoticed. These graphing techniques, in effect, are another form of security analytics. A strong security analytics platform or service will use a variety of graphing techniques and determine which ones are most helpful in each situation.
Two steps to using cloud and making security monitoring continuous
Hungry for more? Read our guide to selecting security analytics tools
Fighting back against ransomware attacks: Detection, prevention, recovery