o Enterprises Need a Separate Cyber Security Analytics Platform?
The five types of analytics used in information security today, and the future of security analytics
As every security product races to build analytics within itself, is there a need for a separate security analytics platform? To answer that, I will do a quick overview of analytics as it stands today in the industry.
Analytics Applied to Infosec
There are five types of analytics that can be applied to infosec-
1. Descriptive analytics. This describes what is happening based on current or immediate past data and includes the typical dashboards and reports that describe the current state of security. This includes answering questions like how many attacks are happening and from which geography, what are our top 10 threats, as well as determining vulnerabilities by business units. MIS reporting has long existed in every product but with the availability of more historical data and an ability to run a variety of statistics, today such analytics are common for every product. You can now slice and dice data in multiple ways and do multi-dimensional analysis.
2. Detective Analytics. This detects the threats that are occurring now which aren’t otherwise known through rule matching. This involves using analytics to find patterns, deviations, outliers, anomalies, and deciding if they represent a threat.
3. Diagnostic analytics. It looks at past data to determine what happened, why it happened, and what root causes we should be concerned with. This applies to alert investigation and to incident analysis. Instead of being done by people with limited tools, today these are run in an automated manner using rules and statistical modeling.
4. Predictive analytics. Using current and past data, it is able to predict future events. This is where machine learning has the highest application where machines can utilize large amounts of data, build cause-effect relationships, and predict an effect for current causes. The use case will be to predict which assets are going to be attacked or which users are likely to turn hostile.
5. Prescriptive analytics. This is the most valuable kind of analysis as it suggests what action is most appropriate in a given situation. This is akin to a machine recommending what is the most appropriate control to put in for a risk it has seen.
Current Security Products and Analytics
Security operations covering threat and vulnerability management need all five types of analytics. What are the security products available to security operations today for these analytics?
Most current security products have descriptive analytics today, including IPS, NGFW, AV, etc. They not only do their job (like IPS generating alerts on attacks), but provide additional tools for mining the data and creating trends and metrics. They can also provide a variety of reports on security status. In addition to SOC, SIEM provides centralized descriptive analytics by pulling in data from multiple places. For better visualization, some SOC use tableau or a similar data visualization tool. While there are some security analytics products like GRC that are focused on bringing in all the data on threats and vulnerabilities and provide reports or dashboards for them, they are of relatively low value to SOC.
The detective analytics products look for bad behavior but without Pre-defined rules. These are:
- Anti-APT types of products that detect unknown malware through sandboxing and building analytics around the file behavior.
- The UBA (User Behavior Analytics) products provide analytics around user access and detect misuse, attacks, or frauds from users.
- The EDR (Endpoint Detection and Response) products carry out analytics at endpoints to detect if unknown malware is executing on the end points.
- Packet analytics products collect raw packets and conduct analytics to detect malicious behavior
- Some SIEM are building capabilities by adding netflow analytics, packet capture analytics, and UBA.
- There are separate big data analytics platforms which are competing with SIEM to become the central analytics around logs, netflow, packets, proxy, email, DNS, user access and much more. Their advantage lies in newer technologies for faster processing, the ability to handle greater variety, and more open architecture.
Currently, SOC has a good number of choices for descriptive and detective analytics. What it lacks is in three other areas of analytics.
Diagnostic analytics is a place where analysts and investigators can end up spending a large amount of time and effort for every suspicious event. SIEM and EDR provide partial support for investigation but they are not built for full diagnostics. There is no single platform for SOC to launch all types of diagnostic analytics centrally. Investigators would like to carry out analytics to understand:
- How and when an attack originated, is there a campaign, or is it a stand alone alert?
- What else has been impacted? What is the typical blast radius for a current attack?
- Who is patient zero for any attack campaign?
In order to to answer these questions an investigator currently needs to collect data from many sources: the logs, the machine state, past alerts from all security products, and threat intelligence data. Even with all this data, the analysis can be very painful and slow given the lack of specialized tools for analytics. For example, to determine blast radius you would need an association algorithm, flow analytics, automated indicator matching, and alert profiling apart from tools for data mining on assets and alerts. Today, no product is available to SOC for conducting such analytics.
When it comes to current predictive analytics there are threat feeds available to SOC that help analysts orient themselves for attacks. This level of predictive analytics is achieved through a threat intelligence platform that integrates all threat feeds and applies them across data sources in a network. However, a SOC would like to be even more prepared to predict attacks or predict an attacker beyond the tactical indicator matching of the current threat intel platforms. One use case would be to know what the next attack is likely to be on an asset given the sequence of alerts in the near past. This would need an application of machine learning algorithms such as a Markovian chain or other. Another use could be to predict the riskiness of an asset or a user inside the network based on past history or behavior. Such a predictive analytical platform goes beyond the current threat intel platforms available to SOC.
Current security orchestration or incident response platforms have some features of prescriptive analytics. Today some of them can guide an incident responder on the steps to be taken based on regulatory rules. These are like expert systems for breach response; however, they do not provide the technical responses that a SOC needs to take based on an incident. Such prescriptive analytics could be a technical expert system or it could be supervised machine learning where the platform learns from the past actions of a human analyst in responding. For example, it could suggest a series of actions for an incident beginning from what rules to push to firewall, what configuration changes to do to a machine, or what virtual patching rules to apply in a WAF.
The Future of Security Analytics
Gartner has defined a new product category under Security Operations Analysis and Reporting (SOAR) which has certain features for descriptive, diagnostic, and prescriptive analytics. Of course the focus of SOAR is beyond analytics and includes the automation of tasks for threat and vulnerability management.
Going forward, SOC’s would need to make all five analytical tools available to analysts and incident response teams. Whether all these features come together in one product or they are spread out across products, the world definitely needs more than what is currently available in terms of security analytics.