Cybersecurity Analytics. And more specifically…?
The IT world is full of principles and good practices for maintaining cybersecurity. NIST Cybersecurity Framework, ISO 270001 or SABSA, and this is just the beginning. IT security teams are literally bombarded with the requirements to maintain an adequate level of security of the IT infrastructure in the organization. Bombed to the point where a filter is needed to match the requirements to the threat level. This is where security analytics technologies come in that focus on delivering data to enhance the ability to assess, analyze, and manage security threats. As a result, organizations are increasingly turning to security analysts and consultants for assistance in implementing and maintaining a security framework.
The term “security analyst” does not refer to a specific technology or piece of software. There is no unified all-in-one security analysis tool or platform. Each company has specific technical challenges and infrastructure weaknesses. It includes a set of methods and technologies for collecting and aggregating data to detect and block potential threats. For example, security analysis may include using behavior analysis tools to detect threats and monitor security.
Analytics allows you to get a picture of the current cybersecurity status by following these steps:
- Collect data from existing IT security systems.
- Adjusting the data to the assumptions of the current IT security strategy.
- Identification of gaps in the current state of IT security.
- Selection of complementary solutions.
- Post-implementation performance monitoring and improvement rate estimation.
Following good management practice that prioritizes planning based on the available data, we will look at the first point. It is the most comprehensive because it assumes an in-depth analysis and correlation of the output from all available systems that provide any support in computer forensics.
This includes finding, collecting, storing, and correlating security data from multiple sources, including:
- Server and application logs.
- Network devices and network traffic logs.
- Physical servers.
- Multiple endpoints.
- Virtual machines and hypervisors.
- Contextual data not related to IT (but this is a topic for a separate article).
- Identity and access management tools.
- Behavioral analyzes that identify patterns of user activity that differ from the base value.
The spread of increasingly sophisticated cybersecurity threats requires organizations to find a compromise and assume that someone is already in the system. The mythical silver missile has never existed in cybersecurity and traditional tools are so effective only in the limited area they cover.
For example – SIEM will correlate events recorded by several systems – but the incident created will be as good as the data from these systems is. It is possible that the attack will be caught by Firewall and EDR – but the lack of a DLP system will delay getting the information on what exactly was the target of the attack. In addition, without proper configuration and data management processes, you risk drowning in a deluge of false alerts. Therefore, the organization needs to build a strong security foundation by implementing security analysis for the entire range of security functions: identification, protection, detection, response and recovery.
The most common use cases of security analytics are:
- Identification and closing of security gaps.
- System monitoring for internal threats.
- Searching for anomalies in network traffic and operations on end devices.
- Data leakage blocking.
- Maintaining compliance with regulations.
- Computer forensics.
To build an effective security analytics strategy, companies must capture, describe, and categorize their use cases and set clear goals they want to achieve. The more complex the use case, the more difficult it will be to recognize and predict threats, and the more complex your IT security strategy and operations will be.
Here are some best practices to consider as you explore the various security analysis tools and methods
- Define, prioritize and classify key use cases for your organization.
- Record the capabilities of your existing software.
- Look for solutions that complement and extend existing systems.
The most common use cases of security analytics are:
- Identification and closing of security gaps.
- System monitoring for internal threats.
- Search for anomalies in network traffic and operations on end devices.
- Data leakage blocking.
- Maintaining compliance with regulations.
- Computer forensics.
To build an effective security analytics strategy, companies must capture, describe, and categorize their use cases and set clear goals they want to achieve. The more complex the use case, the more difficult it will be to recognize and predict threats and the more complex your IT security strategy and operations will be.
Here are some best practices to consider as you explore the various security analysis tools and methods
- Define, prioritize and classify key use cases for your organization.
- Record the capabilities of your existing software.
- Look for solutions that complement and extend existing systems.
Start straight. Identify gaps in your current security analysis that conflict with your organization’s cybersecurity vision. Then look for a solution that will enrich your current solutions and answer the following questions:
- Which information is sensitive? Where is it? Is it at risk?
- Who has access to sensitive data? How can I remedy excessive access?
- Who has access to sensitive data? Is there any inappropriate privileged user activity?
- Do I have to report a data breach? How can I make an informed decision faster?
- What data should be recovered in the event of a security breach? How could the incidents be stopped?
