If I’ve heard it once, I’ve heard it a thousand times: traditional security controls are no longer effective at blocking cyber-threats, so enterprise organizations are deploying new types of security defenses and investing in new tools to improve incident detection and response.
Unfortunately, this can be more difficult than it seems. Why? Effective Incident detection and response depends upon security analytics technology, and this is where the confusion lies. It turns out that there are lots of security analytics tools out there that approach this problem from different angles. Given this reality, where the heck do you start?
Based upon lots of qualitative and quantitative research, I’m finding that many large organizations with experienced security teams tend to jump into security analytics by focusing their effort on the network for several reasons:
- Networks are already instrumented for data collection and analysis. Modern networks are designed to be analyzed. Network devices come outfitted with SPAN ports and serve up NetFlow/IPFIX for security analytics.
- Security analysts tend to have lots of network security analytics experience. Cybersecurity professionals have years of experience with open source tools like Ethereal, NMAP, TCPdump, and Wireshark. Commercial network security analytics tools build upon this foundation.
- Network security analytics can be mapped to APT “kill chains.” Sophisticated advanced persistent threats (APTs) tend to follow the Lockheed-Martin “kill chain” composed of 7 phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Network security analytics can be used to block or detect malicious activity throughout each phase of the entire cyber-attack process.
- Network security analytics can span layer 2 through 7 visibility. The best network security analytics tools collect, process, correlate, and analyze metadata up and down the OSI stack in real-time and for retroactive remediation over periods of time. These details are important when it comes to piecing together an entire sequence of events to determine what happened and when.
- Threat intelligence aligns well with network security analytics. While network security analytics tend to scrutinize internal network data, many tools are also tightly integrated with threat intelligence to provide an outside-in perspective on network threats. Threat intelligence feeds contain specific information about cyber-adversary tactics, techniques, and procedures (TTPs) ongoing campaigns, or indicators of compromise (IoCs) like known malicious IP addresses, files, URLs, and domains. By comparing external threats with internal network security analytics, large organizations may be able to thwart cyber-attacks before they lead to mayhem.
- Network security analytics provide a bridge between cybersecurity and network operations teams. Upon the detection of malicious activity, security and network operations teams work closely to remediate compromised or vulnerable systems. Network security analytics can help with this collaboration by providing a common dashboard of network-level detail about IP addresses, network services, payloads, and protocols.
Networks are certainly a good place to start but also act as a building block for other security analytics efforts. Leading organizations often supplement network security analytics with similar project for monitoring the behavior of critical data assets, endpoints, and users for example. They then bridge all of these analytics using an integrated cybersecurity orchestration platform (ICOP) from vendors like FireEye (Invotas), Hexadite, IBM (Resilient Systems), Phantom Cyber, or ServiceNow.
Enterprise focus on network security analytics is also clearly appreciated on the supply side of the economic equation. Arbor Networks made a few acquisitions and now offers a product called Spectrum. Blue Coat, Cisco, FireEye, and RSA all acquired network analytics vendors over the past few years while IBM and LogRhythm announced network forensic offerings for integration with their SIEM products.