Maksim Kabakou - Fotolia
Security analytics often means using tools to patrol the perimeter of an organisation’s network. As a result, it is important to guard against assuming that investing in security analytics will automatically afford the protection needed from all kinds of external threats.
There are many options available to organisations for implementing security analytics technology, ranging from basic firewalls through to advanced, machine learning services that proactively predict and defend identified threats – while the more advanced offerings may infer total protection, it is rare this can be fully relied upon.
As ever, it is easy to be blinded by the prospect of the latest and greatest technology without considering the true nature of the risk being managed and the most appropriate response for it, as well as performing the necessary due diligence on the product. Organisations still need to critically assess their IT asset catalogue and identify which are the high-criticality applications.
When selecting a potential security analytics supplier, it is important to seek assurances, including references regarding the functionality and capabilities of the tool as well as the supplier itself. If possible, the product should be tested to ensure it covers the specific needs of the organisation.
If the plan is to rely on the supplier’s vulnerability algorithms and threat perception templates, it is critical that due diligence is also undertaken on those to ensure they are also maintained regularly to reflect changing threat perceptions.
It is also important to keep in mind whether the organisation is at significant risk of external threats of this nature and whether the technology investment is the correct response. Although all companies will be exposed to some kind of external threat, some are more likely to be targets than others.
Specific industry sectors – for example, high volume retailers or global pharmaceuticals – will attract a greater volume of cyber attacks by virtue of the type of information they hold or because of what they do.
Companies that are assessed as high-risk targets are far more likely to invest in more sophisticated analytics offerings for their network and security infrastructure. Others may rely upon traditional defence strategies such as firewalls, encryption, network partitioning and resilience without the added analytical layer.
The following should be considered when selecting a security analytics solution:
- Multiple layers of security are often required, and this is also the case for security analytics. Therefore, it must complement – not conflict with – other programs in place, as well as communicate with them to read and understand the logs available so that a vulnerability or threat alert is identified when it occurs.
- Different threat indicators should be able to be configured depending on the target, protocol or source of the attack. For example, certain applications may inherently communicate through multiple protocols or channels, some of which may be deemed as suspicious in other applications. These exceptions or nuances by application will need to be configured in the security analytics product in order to remove either false positives or undetected vulnerabilities.
- Additional configuration parameters need to be handled with system updates as they become relevant to the organisation.
- Deviations from “normal” behaviours need to be detected to identify potential suspicious behaviours.
- A facility to alert and notify immediately based upon perceived threat levels is required.
- Different levels of criticality need to be differentiated between, as not all identified threats are the same.
- Where possible, the software should be able to use previous responses as a template for future alerting – machine learning to remember previous responses and repeat where similar scenarios are identified.
- Where machine learning is part of the solution, the product should provide some sort of percentage confidence rating for the simulated model to provide administrators with insight into the trustworthiness of the suggested alert.
- It should be customisable to identify the particular idiosyncrasies of applications in the organisation’s enterprise applications. For example, understanding the particular protocols or ports used by SAP vs Google or Microsoft.
- Once a threat has been identified, “infected” assets need to be isolated and quarantined.
The limitations of security analytics include:
- The solutions are only as good as the algorithms they are processing; if these are not up to date, the detective capabilities of the system will not be either.
- Even with machine learning capabilities, the programs still require good data input quality and consistent patterns of both events and alert responses (such as alerts consistently cleared as false positives) to provide appropriate answers. Machine learning still requires human validation until such time as the “model” can be deemed sufficiently accurate.
- No matter how advanced the product, the response and reaction still require human intervention and guidance.
- Many examples of security analytics solutions can result in companies becoming complacent by over-relying upon this single line of defence rather than implementing complimentary, multifaceted response strategies.
Overall, it is critical to remember that, as powerful as the security analytics products are, they can never be fully relied upon in isolation. It is still vital to plan for an attack that will be, in some form, successful. Resilience and recovery strategies must also receive appropriate investment if the organisation is to be adequately prepared for such threats.