If I’ve heard it once, I’ve heard it a thousand times. Traditional security controls are no longer effective at blocking cyber threats, so enterprise organizations are deploying new types of security defenses and investing in new tools to improve incident detection and response.
Unfortunately, this can be more difficult than it seems. Why? Effective incident detection and response depends upon security analytics technology, and this is where the confusion lies. It turns out there are lots of security analytics tools out there that approach this problem from different angles. Given this reality, where the heck do you start?
+ More on Network World: Security analytics will be the next big thing in IT security +
Based upon lots of qualitative and quantitative research, I find that many large organizations with experienced security teams tend to jump into security analytics by focusing their effort on the network for several reasons:
- Networks are already instrumented for data collection and analysis. Modern networks are designed to be analyzed. Network devices come outfitted with SPAN ports and serve up NetFlow/IPFIX for security analytics.
- Security analysts tend to have lots of network security analytics experience. Cybersecurity professionals have years of experience with open source tools such as Ethereal, NMAP, TCPdump and Wireshark. Commercial network security analytics tools build on this foundation.
- Network security analytics can be mapped to APT “kill chains.” Sophisticated advanced persistent threats (APTs) tend to follow the Lockheed-Martin “kill chain” composed of seven phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2) and actions on objectives. Network security analytics can be used to block or detect malicious activity throughout each phase of the entire cyber attack process.
- Network security analytics can span layer 2 through 7 visibility. The best network security analytics tools collect, process, correlate and analyze meta data up and down the OSI stack in real time and for retroactive remediation over periods of time. These details are important when it comes to piecing together an entire sequence of events to determine what happened and when.
- Threat intelligence aligns well with network security analytics. While network security analytics tend to scrutinize internal network data, many tools are also tightly integrated with threat intelligence to provide an outside-in perspective on network threats. Threat intelligence feeds contain specific information about cyber-adversary tactics, techniques and procedures (TTPs) ongoing campaigns, or indicators of compromise (IoCs)—such as known malicious IP addresses, files, URLs and domains. By comparing external threats with internal network security analytics, large organizations may be able to thwart cyber attacks before they lead to mayhem.
- Network security analytics provide a bridge between cybersecurity and network operations teams. Upon the detection of malicious activity, security and network operations teams work closely to remediate compromised or vulnerable systems. Network security analytics can help with this collaboration by providing a common dashboard of network-level detail about IP addresses, network services, payloads and protocols.
Networks are certainly a good place to start, but they also act as a building block for other security analytics efforts. Leading organizations often supplement network security analytics with similar projects for monitoring the behavior of critical data assets, endpoints and users, for example. They then bridge all of these analytics using an integrated cybersecurity orchestration platform (ICOP) from vendors such as FireEye (Invotas), Hexadite, IBM (Resilient Systems), Phantom Cyber or ServiceNow.
Enterprise focus on network security analytics is also clearly appreciated on the supply side of the economic equation. Arbor Networks made a few acquisitions and now offers a product called Spectrum. Blue Coat, Cisco, FireEye and RSA all acquired network analytics vendors over the past few years, while IBM and LogRhythm announced network forensic offerings for integration with their SIEM products.
As the old security saying goes, “the network doesn’t lie.” Clearly the supply and demand side of the cybersecurity industry understand what this means and are busy reacting to this truism.