Security analytics is an approach to cybersecurity that collects and analyzes data about threats. The approach aims to detect and prevent threats (both external and internal) before they can affect an organization.
Security analytics can include activities such as examining network traffic for anomalous patterns; uncovering data exfiltration and improper user account usage; and even monitoring data for policy violations. More advanced security analytics features include sequence-based analytics, outlier detection analytics, risk-spotting algorithms and threat detection.
Many organizations view security analytics as an important component of their cybersecurity strategy. According to a survey by Business Application Research Center, 62% of IT and security managers perceive big data security analytics technologies as very important to protecting enterprise data. A survey by IBM found that organizations further along with security analytics programs experienced data breach costs that were about 33% lower than organizations with less mature programs.
Security analytics is sometimes said to be similar to security information and event management (SIEM) systems. While security analytics and SIEM do overlap in some ways, they are not the same. SIEM systems collect log data generated by monitored devices to identify specific events occurring on them, and then aggregate that data. Security analytics, meanwhile, is a broader and more cloud-friendly approach, geared toward DevOps CI/CD lifecycles and higher volumes of data.
How Does Security Analytics Work?
Security analytics products tend to combine a variety of technologies, but all products collect data from multiple sources, including endpoints, business applications, threat intelligence systems and external threat resources.
Most security analytics technology also includes some type of machine learning (ML) and/or artificial intelligence. Machine learning, for example, relies on a set of algorithms that interpret the data, then “learns” based on matching input data with known output results. An ML model then adjusts the algorithms each time data pass through to improve prediction outcomes.
Together, AI and ML can establish a baseline of normal activity to model anomalies; analyze malware activities; and correlate historical data of intrusions and attacks to identify patterns. Examples include the following:
- Predictive analytics: The application of statistical algorithms to historical data to proactively prevent cyberattacks and predict future cyberattacks in real time.
- User and Entity Behavior Analytics (UEBA): The use of advanced algorithms to create a baseline of routine activities conducted by systems or users. That baseline can then identify and report on behavioral anomalies.
- Customization: Depending on an organization’s needs, some companies develop their own security analytics technology based on a security operations and analytics platform architecture (SOAPA). These can include a SIEM, predictive analytics, UEBA, endpoint protection, incident response, vulnerability scanning and other tools.
Most security analytics platforms are delivered via SaaS or cloud-hosted models.
What Are the Benefits of Security Analytics?
In addition to improving the detection of and response to security incidents and anomalies, security analytics tools can do the following:
- Help organizations comply with industry and government regulations;
- Improve forensics capabilities by providing insights into the origin of attacks, how systems were compromised, what data was lost, and when the attacks occurred;
- Provide a holistic view of security; and
- Help IT departments focus on the most critical issues and events.
Where Can You Find Security Analytics Tools?
Security analytics is a growing field that includes many different types of products. One security analytics product may combine malware sandboxing, signature-based detection and malware-blocking components, while another may combine open-source search and data visualization tools with advanced security analytics capabilities.
Security analytics vendors include:
- Palo Alto Networks
- IBM Security
- Micro Focus
- Sumo Logic
How Organizations Use Security Analytics Tools
Here are several examples of how organizations use security analytics tools to improve operations:
Gaining better visibility into user behavior
A large government agency wanted increased visibility into individual user behaviors. Doing so would help the agency differentiate between unusual user behavior and valid threats. The agency aimed to run advanced and customized correlations on security events, speed up threat response, and align with the MITRE ATT&CK framework. The agency added Micro Focus’ behavioral analytics software, ArcSight Intelligence, to its existing implementations of ArcSight Enterprise Security Manager and Logger. The addition of ArcSight Intelligence let the agency not only continue to analyze more than 15,000 events per second but gain broad visibility into user and entity behaviors.
Preventing internal fraud across a dispersed environment
During several years of rapid growth, a large telecommunications provider acquired numerous companies. The acquired companies had disparate levels of security. After taking security measures targeted at external threats, company leaders wanted to do the same for potential internal fraud. The company selected Exabeam’s security management platform and implanted Exabeam’s parser, which analyzes the logs of asset management tools.
Accelerating analysis of cyberattacks
An online banking company found itself unable to derive real-time actionable cybersecurity intelligence from operational data. This was due to inefficient log management, labor-intensive and time-consuming risk management processes, and ineffective analysis of web access logs to detect unauthorized access. The company adopted the Splunk Enterprise platform to rapidly collect and analyze machine-generated big data. The implementation led to faster cyberattack management processes, the successful prevention of illegal money transfers, and opportunities for new security measures.
Stemming alert overload
A healthcare insurance company’s security operations center (SOC) was overwhelmed with about 30,000 security alerts per day. The SOC often had to resort to randomly choosing 10% of the alerts to investigate. Clearly, the company’s existing SIEM and identity and access management systems were insufficient, not even close to keeping up with the security needs of the company’s more than 48,000 employees and 23 million customers. To ensure that its internal systems remained secure, the company implemented the Gurucul Risk Analytics (GRA) platform, which uses machine learning integrated with access and threat analytics to identify access outliers. The GRA platform also supports dynamic provisioning and manages role/access reconciliation through identity analytics. In addition, the platform can use UEBA to prevent privileged access abuse, data exfiltration and insider threats. With the new system in place, the company discovered many unknown privileged accounts, reduced the daily alert volume to just 10 alerts, and sped up response time.
Protecting vulnerable endpoints
A global pharmaceutical distributor saw a major uptick in cyberattacks that targeted research patents and trade secrets. As a result, the distributor wanted a more aggressive advanced threat detection and prevention approach. The company had used mostly siloed endpoint and security monitoring tools, but those tools provided only low-fidelity alerts without enough context and prioritization. The company addressed the problem by integrating its existing Tanium endpoint security system with its Securonix SIEM system. Once integrated, analysts could use Securonix to look for malicious activities, bringing in endpoint telemetry events from Tanium and other network, cloud and application anomalies. Securonix uses Tanium to determine risk scores for vulnerable and high-priority assets, then initiates remediation actions on endpoints using Tanium response integration.
IT environments have rapidly undergone a sea change in recent years: The COVID-19 pandemic forced employees to work remotely from sometimes insecure location; organizations saw explosive growth of data and data security concerns; cloud offerings proliferated; and cybercriminals learned to be more ingenious.
All these changes have led many organizations to conclude that they need cutting-edge security technologies to protect themselves. Security analytics is one of the major approaches trying to fill that void.