Maksim Kabakou - Fotolia
The Information Security Forum (ISF) describes a five-stage cyber attack chain typically seen from adversarial threats – performing reconnaissance, gaining access, maintaining control, compromising information and exploiting information.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Security analytics platforms (which can be described as an extension of SIEM – security information and event management) aim to stop these threats early in the cyber attack chain, combining data sources and analysing information for indicators of compromises (current and potential).
However, these platforms do not work out-of-the-box, requiring configuration and regular fine tuning for individual organisations. In this regard, organisations considering utilising security analytics should not underestimate the depth of resources needed for effective use.
Costs include not only licensing the software but also customisation, any necessary training and specialists (in an employee-led labour market).
Specialists are needed to interpret the outputs from the platform. Cognitive biases (the tendency of humans to think in particular ways, deviating from purely rational judgment) can cause individuals to draw conclusions with incomplete, contradictory or overwhelming amounts of information. Regularly rotated teams can help to mitigate these potential biases.
When problems are spotted, the workflow to follow up should be well defined and integrated with the organisation’s incident management processes.
Normally the domain of larger enterprises (1,000+ employees), smaller organisations will rarely possess the resources to buy and deploy a security analytics platform, let alone manage the outputs. Smaller organisations could investigate appropriate managed security service providers (MSSPs).
Data sources is an obvious question to probe potential suppliers with, but also consider asking about how compliance expectations are supported, and how the architecture of the solution helps speed up analytic processes – after all, time is of the essence in detecting, and lessening the impact of, attacks.