Maksim Kabakou - Fotolia

Security Think Tank: If you are not measuring, are you really defending?

What are the main challenges that security analytics can be used to address?

Growing up with a twin brother, we were constantly measured against each other in everything we did. He was the cool brother seemingly good at everything, while I was the one playing catch-up, always trying to do the right thing. My competitive nature would later help me focus on becoming the “straight A” student, which is why measurement was a great affirmation of my efforts to be “best”.

As I began my career, having my performance measured against peers continued to push me and I enjoyed success up the corporate ladder. To me, measuring equals performing and this is why businesses need to do the same to withstand cyber attacks. They need to vigilantly analyse and scrutinise their security performance in every way, then work hard to fix it – or simply invest time and energy in security analytics.

Security analytics serves an important role in any organisation, not just for your IT team, but for the board as well. With solid analytics at your disposal, the leaders in your organisation can make more informed decisions when it comes to budgeting or personnel needs.

It is important for organisations to have the right level of analysis to identify and stop threats and the loss of data. Having the system in place so that data may be collected, analysed and reported on in real time requires a flexible solution and responsive architecture. It is crucial to understand how the architecture empowers the processes.

Security analytics is really the analysis of information within a network. This can include routers, switches, firewalls, mainframes, middleware appliances, Unix server logs, Windows domain controllers, application logs, forensic data, additional analysis from other security controls, and so on. 

These things used to be called security event management, security information management, and security information event management. Collectively, it is now known as Siem.

Siem was the process of collecting log data from disparate sources to analyse and correlate it to identify security events. This was a great promise to deliver a “single pane of glass” solution to integrate this information for an organisation’s chief information security officer or information security leaders in an increasingly heterogenous environment. 

Wasted money

While the concept of Siem seemed to work for businesses, any security suppliers that sold these systems to businesses priced the appliances that collected and analysed all of this data based on the log size and quantity of some other variable that they could measure and therefore charge for.

And because security was not a board-level issue at the time, heads of security within an organisation would often buy what they could to meet compliance needs, but would not have the bandwidth required to truly identify security anomalies. Log collection servers, analytical servers or database server, which often made up these systems, would run out of space or lack the proper configuration due to either a lack of knowledge or people.

So, over time, a lot of money was spent on very expensive systems that did not always detect the problems. And since not all applicable data was sent to these systems, there was a mixture of different systems reporting in, causing cultural and budget issues for businesses. That, combined with the fact that security suppliers need to understand the context of each event that any number of systems could generate log messages for, made it a very complex problem to solve.

Stopping threats in advance

Later, security suppliers got smart and realised that there was a big piece missing from these Siem tools – threat indicators to identify future actions by adversaries. These would show up in system logs – almost as signatures or breadcrumbs of their activity – sprinkled all over the enterprise, tracking what the adversary had done to get in, find what they were looking for, get it out, and then cover their tracks without getting caught.

Security suppliers started to incorporate more threat intelligence into their tools, including indicators of compromise and tools, tactics and procedures (TTPs) of known adversaries. Logically, most threat actors tend to use the same tools, techniques and procedures to accomplish their goals.

Why? Because changing this stuff is hard and takes a deep knowledge of technology to make it happen. So, once you have something that works, you stick with it, knowing that many organisations are short on robust security systems. 

Also, once someone finds hole in a system, it becomes much easier for those with a lesser skill level to copy it and use the same attack for their own means.

Staying informed about all active threats, as well protecting critical information, means the security leaders in an organisation must formulate a defensible security plan that helps contain data loss and reputation damage, and share that intelligence to be able to proactively respond to those threats.

By identifying those weak spots within the organisation by automating monitoring and alerts, the chief information security officer (CISO) will be able to investigate changes and indicators of compromise (IoCs) more quickly and use that intelligence to research and defend active and potential attacks, enabling quicker investigation of the problem and response.

Understanding the adversary

With all this said, it is still incredibly important to understand the adversary’s mindset. You need to understand how they think, how they analyse a network for a potential attack, what are their motives, how they would accomplish their goals if they were able to breach, and what we would see if they did.

These are just some of the questions people need to consider when looking at security analytics.

Selecting proper tools

Security analytics needs to be much more than a buzzword to sell more products, or a reason to buy more systems simply to justify how good your organisation is at protecting an enterprise. You need to truly understand how technology is used and deployed in your environment all the way up the “stack” (OSI model) and how an adversary would exploit this to gain access. 

If you think like they do, you will start to see holes in your capabilities and will be able to select security controls and develop analytical capabilities to analyse the information that is directly in front of you.

Security analytics will be most effective when it is the right tool for the task, properly deployed and configured, and has buy-in from all levels of the organisation. All organisations should think about how to best implement security analytics to both understand and protect their networks.

The bottom line is: you can’t manage what you don’t measure. In today’s cyber environment, where we see constant attacks and incidents, it is important to keep a close pulse on your cyber health. How else will you know whether your organisation is healthy or needs a proper rehab stint? While it is unfortunate that cyber attacks and rehab stints remain on trend, I would rather stick to my “straight A” student persona and keep out of trouble.

Read more on Hackers and cybercrime prevention