The Evolution of Security Analytics
Cybersecurity needs to be made simple, accurate, and actionable to respond to today’s dynamic threat-actors employing patterns and methods – Tactics, Techniques and Procedures that orchestrate and manage attacks.
It is evident that enterprise dependence on manual human analysis and response has rapidly stunted business growth. AI, scaled data services and automation working in concert is fast becoming the primary weapon for the security analyst, against the exponentially growing threat of a cyber-attack! The security world is looking to a virtual counsel, with all of the following characteristics:
Deep network visibility using a single pane of glass that offers topological visualization of the security posture, derived from network data and disparate security systems. Enterprise-grade software scalability with no data duplication, and one that handles petabytes of data. Real-time threat-hunting, that provides searching and hunting capability spanning integrated systems’ network data, SIEM, malware sandbox, end-point solutions and threat intelligence – with integration of myriad data sources. Machine learning and AI that provides identification of malicious behavior and zero-day threats, obviating the requirement for rules and signatures. Finally, an active closed-loop learning system that allows for recommendation of actions for similar events, identifying and marking false positives, and providing assignment workflow.
If the data content can be enriched without any fidelity loss, said data can be archived for forensic analysis, known threats can be detected during real-time stream processing and machine learning, analyst feedback can be done rapidly, general threats can be separated from specific ones, false positives can be reduced, and anomaly causes can be identified, then we have a robust solution to aid even the junior-most security analyst.
In general, security analytics is meant to provide full network visibility, predictive analytics to identify anomalous behavior and in assisting hunting, and prescriptive analytics to recommend actions and driving efficiency for the analyst.
CISOs and security analysts have been struggling with first-generation SIEMs due to a lack of real-time data enrichment, leading to an inability to do real-time hunting with capability limited to the detection of atomic events instead of their behavior, a lack of real-time asset mapping essential for behavioral analytics, inefficiencies created by high-alert volumes causing actual threats to be missed, and a lack of continuous and active learning.
With machine learning going beyond basic statistical analysis, zero data duplication, scalability, a flexible and extensible architecture, and an active learning loop, clear competitive differentiation in this space can be achieved!