Story image

Security analytics key to breach detection

20 Apr 2015

Security spending is at an all-time high, while at the same time security breaches at major organisations are at an all-time high as well, according to analyst firm Gartner.

The company says the impact of advanced attacks has reached boardroom-level attention, and this heightened attention to security has freed up funds for many organisations to better their odds against such attacks.

"Breach detection is top of mind for security buyers and the field of security technologies claiming to find breaches or detect advanced attacks is at an all-time noise level," says Eric Ahlm, research director at Gartner.

"Security analytics platforms endeavour to bring situational awareness to security events by gathering and analysing a broader set of data, such that the events that pose the greatest harm to an organisation are found and prioritised with greater accuracy."

Gartner says when it comes to gathering masses of security data that can be analysed to bring greater meaning to security events, security information and event management (SIEM) technologies are topping the list of likely solutions.

While most SIEM products have the ability to collect, store and analyse security data, the meaning that can be pulled from a data store (such as the security data found in a SIEM) depends on how the data is reviewed. “How well a SIEM product can perform automated analytics — compared with user queries and rules — has become an area of differentiation among SIEM providers,” Gartner says.

User behaviour analytics (UBA) is another example of security analytics that is already gaining buyer attention, the company says. UBA allows user activity to be analysed, much in the same way a fraud detection system would monitor a user's credit cards for theft. “UBA systems are effective at detecting meaningful security events, such as a compromised user account and rogue insiders,” Gartner says. “Although many UBA systems can analyse more data than just user profiles, such as devices and geo-locations, there is still an opportunity to enhance the analytics to include even more data points that can increase the accuracy of detecting a breach.”

"Today, there are certainly commercially viable applications of analytics to better position security technologies, such as with SIEM and UBA providers," says Ahlm. "However, the applications or other problems that can be addressed for other security markets are still emerging and on the whole, the security industry is rather immature in the application of analytics."

As security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis. “Today, information about hosts, networks, users and external actors is the most common data brought into an analysis,” Gartner says. “However, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.”

Gartner says analytics systems, on average, tend to do better analysing lean, or metadata-like, data stores that allow them to quickly, in almost real-time speed, produce interesting findings. “The challenge to this approach is that major security events, such as breaches, don't happen all at once,” says Gartner. “There may be an early indicator, followed hours later by a minor event, which in turn is followed days or months later by a data leakage event.

“When these three things are looked at as a single incident that just happens to span, say, three months, the overall priority of this incident made up of lesser events is now much higher, which is why ‘look backs’ are a key concept for analytics systems.”

"Ultimately, how actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time," says Ahlm. "Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualisation of that data will greatly affect adoption of the technology."

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.