Petya Petrova - Fotolia

Firms look to security analytics to keep pace with cyber threats

Traditional approaches to cyber security no longer enable organisations to keep up with cyber threats, but security analytics is an increasingly popular addition to the cyber arsenal

This article can also be found in the Premium Editorial Download: Computer Weekly: What can intent-based networking do for you?

Security has changed dramatically over the decades. Companies can no longer risk focusing just on protecting physical assets such as offices and stock. With firms becoming increasingly reliant on technology and software to streamline everyday operations, it is crucial to have systems in place to protect digital property.

Cyber criminals are constantly trying to gain access to lucrative business data, and attacks can have detrimental effects on businesses’ finances. According to research from enterprise internet service provider (ISP) Beaming, UK businesses lost nearly £30bn because of hacks in 2016.

Monitoring and threat detection are crucial if businesses are to stay ahead of the curve, and security analytics has emerged as a popular way to counter attacks. It involves the collection, aggregation and analysis of security data, usually combining datasets with sophisticated detection algorithms.

Security analytics is extremely diverse, and there is a plethora of ways to collect data, including software, cloud resources, external threat intelligence sources and network traffic. According to a report from Markets & Markets, the industry was worth $2.83bn in 2016 and will reach $9.8bn by 2021. But does the sector live up to the hype?

As a market, security analytics is packed with suppliers. Ranging from corporate diehards to fast-growing startups, the industry abounds with choice. Top names include BAE Systems, E8 Security, Fortinet, Hewlett Packard Enterprise (HPE), Huntsman Security, IBM, McAfee (formely Intel Security), LogRhythm, RSA, Securonix and Splunk, all of which have made an impact on the industry over the years.  

US tech giant IBM is one of the leading suppliers in this area, offering a wide range of software that puts analytics at the heart of cyber security. It provides businesses with tools to detect and prioritise their biggest security threats. Features include log management, risk management, vulnerability management, configuration management, incident forensics and behavioural analysis.

Martin Borrett, chief technology officer of IBM Security Europe, says artificial intelligence (AI) and analytics have emerged as frontrunners in cyber security, and more and more businesses are investing in these technologies. “Sophisticated cyber crime is growing at an alarming rate and alternative ways to combat it need to be found,” says Borrett. “One route is through the use of AI and advanced analytics.

“In the market today, we see great faith in this technology, as well as growing rates of adoption. Research by the IBM Institute of Business Value found that nearly 60% of security professionals believe cognitive security systems can slow down cyber criminals significantly. The study also revealed there will be a three-fold increase in the percentage of companies implementing cognitive security systems in the next two to three years – up from 7% to 21%.

“Already we see many companies taking the plunge into using cognitive technology and analytics in their security business. As a result, they have experienced a number of improvements in their security services, from gaining the ability to make faster and more informed decisions, to reduced incident response times, complexity and cost. Without such technology, unstructured data continues to be the Achilles’ heel of cyber defence because it represents a huge blind spot, comprising more than 80% of all data.”

Rise of new security technology

Implementing security analytics can take time and money, especially if a business is using outdated hardware and software. Gene Stevens, co-founder and CTO of enterprise security supplier ProtectWise, says many CISOs are finding it difficult to retain forensics for an extended period of time in a way that is cost-effective and easy to manage. However, his company has come up with an intelligent, analytics-oriented platform to tackle this problem.

“With a memory of network activity, security teams can go back and identify whether they were compromised by an attack once it is discovered – and assess the extent of its impact,” says Stevens. “However, traditional approaches are costly to scale and laborious to deploy. And as workloads move to the cloud, these products are not capable of supporting that move, which makes it hard for them to keep up with changes in attack techniques. We take a new approach to solving these challenges with a utility model for enterprise security.”

The company’s ProtectWise Grid platform captures full-fidelity network traffic for real-time and retrospective analysis, automating much of the impact assessment and data gathering, enabling quick and easy security analytics.

“This makes it easy to deploy and scale,” says Stevens. “CISOs also appreciate that the retrospective technology and unlimited retention window give them the confidence to definitively say their organisation was not vulnerable to a newly discovered threat, even going back into a year’s worth of data.”

Founded in 2003, LogRhythm is another pioneer in the field of security analytics. Although the company’s product portfolio is broad, it has begun to focus much of its attention on new technologies such as machine learning. It has developed an AI engine that processes security analytics data in real time, enabling the detection of advanced threats.

Ross Brewer, vice-president and managing director of Emea (Europe, Middle East and Africa) at LogRhythm, says: “As the hype around security analytics heightens – and rightly so – we are seeing incredibly sophisticated technology come to market. Today’s security intelligence and data analytics tools automatically aggregate, correlate and analyse forensic data from existing security tools, such as log data from firewalls and user activities from behavioural analytics systems.

“This helps to remove the burden on those who would otherwise need to perform these activities manually in order to find the biggest threats. This level of insight delivers the right information, at the right time, with the appropriate context, to the right people, so attacks can be detected in the earliest stages – or even anticipated before they occur.”

Valuable business tool

US-headquartered Vasco has also emerged as a leader in the security analytics industry. The company develops technology that helps secure sensitive information and transactions for some of the world’s biggest banks, including HSBC, Bank of America, Deutsche Bank and Citibank. The firm works with more than 10,000 customers in 100 countries.

Vasco product director Giovanni Verhaeghe says that despite its relative infancy, security analytics has proved itself to be a valuable business tool.

“Organisations are able to make well-informed security decisions based on data gathered and analysed by a technology that will get smarter over time thanks to its machine learning capabilities,” he says.

“For example, risk engines, empowered by security analytics, are already transforming the process of deciding whether a user can conduct a specific transaction in a different way to traditional one-time password [OTP] technology. Risk engines are able to analyse a user’s environment and behaviour and make a decision based on a variety of parameters. As a result, transaction security is underpinned by a more detailed decision-making process than OTP, which is based on a simple ‘yes or no’ process.”

Although security analytics promises major business benefits here, it is not without its problems, and Verhaeghe says the rise of sophisticated data will bring challenges for CISOs.  

“The main challenge is with defining the right parameters and desired outcomes in the face of unprecedented data growth, especially with technologies like the internet of things [IoT],” he says. “CISOs will need to clearly define what they expect from the technology to make sure the data is appropriately processed and threats are averted.”

Lee Weiner, chief product officer at IT security company Rapid7, is a firm believer in the technology, and says the biggest attraction of security analytics is that it can boost visibility and productivity. “The main benefits are increased visibility, new ways to view and analyse metrics, and even the opportunity to create KPIs [key performance indicators],” he says. “Additional benefits include increased productivity for security professionals due to less noise, more actionable intelligence and a clearer path to action – reducing risk and containing attacks.”

Living up to the hype

There is no denying that security analytics is popular in the business world – but is it actually living up to the hype? Daniel Dalek, director of research and development at NTT Security, says the technology is changing the game for businesses and has matured rapidly. “Security analytics has evolved quickly over the past couple of years, mainly out of necessity since traditional approaches have not been able to keep scale properly to the volumes of data,” he says.

“This change has led to the use of specialised storage, new tools for exploratory analysis, focus on streaming applications and adoption of AI or machine learning methods to combat the inefficiencies of signature-based detection. In the short term, this technology shift has been resource-intensive since it involves all layers of the technology stack, and has just about allowed most security suppliers to keep their heads above water.

“But NTT Security has already seen some of the long-term benefits, specifically by building refined datasets to train our machine-learning models. This has allowed us to detach from the technology stack and move our detection capabilities across platforms and libraries.”

Read more about security analytics

Paul McEvatt, senior cyber threat intelligence manager at Fujitsu, takes the view that security analytics is growing up and living up to its potential, thanks to the rise of technologies such as machine learning.

“Collecting the right logs is critical and it is more important than ever to have visibility of what is happening on the endpoint,” he says. “However, an antivirus on an endpoint can no longer be seen as adequate protection. In fact, technologies reliant on signatures or rule correlation are no longer sufficient. But the good news is, technologies are improving. Machine learning, AI and new concepts such as automation and orchestration are driving change.

“A good example of this is SIEM [security information and event management], a traditional defence-in-depth layer that is often seen as the integration layer that has the ability to collect logs from various sources on which teams can perform security analytics. This model will change with the introduction of security automation and orchestration concepts. These will act as a true integration layer, with SIEM simply being another technology component in the stack.”

McEvatt adds: “It is becoming clear that orchestrating multiple security technologies, joining them together through APIs [application programming interfaces] and applying context to incident tickets through threat intelligence enrichment is the next lifecycle for security operations. Applied correctly, automating incidents to the point where they don’t touch traditional first- and second-line teams will improve incident response metrics and free up time for true security analytics and proactive threat hunting.”

Cyber security threats are becoming ever more complex, and businesses must take action now to stay protected from hackers. Although there are plenty of ways organisations can improve their defences, security analytics has become one of the most popular methods. Spearheaded by advances in tech such as AI and machine learning, it offers greater visibility into critical IT systems.

Read more on Hackers and cybercrime prevention