Threat Hunting Guide

Security analytics is the art of combining process, forensics, technology, and skill to detect and react against cyber-threats. It deploys advanced data collection, analysis, and monitoring tools to detect malicious activity and malware that could threaten an organization’s infrastructure.

Security analytics tools detect threats by using a trifecta of data science, AI, and deep learning algorithms on environmental data. It can also combine these big data capabilities with threat intelligence to help detect, analyze, and mitigate insider threats.

This article aims to cover the main features and benefits of security analytics, what it is, and how it  can help protect your organization. Traditionally, cybersecurity has taken the “classic approach” where detection is passive, relying on pre-established playbooks and detection rules that only detect well-known threats instead of utilizing multiple data sources. In the modern era, we are taking a more analytical and proactive approach, where data is gathered from multiple sources and analyzed for suspicious behavior with artificial intelligence and machine learning. In the table below we have highlighted these two key methods and their differences.

Executive summary: Classic VS Security Analytics approaches

Classic security tools	Security analytics solutions
Detection based on rules and well-known signatures and uses queries to obtain specific data	Detection based on deviations in pattern learned from multiple data sources
Approach based on a single event or repeated event	Approach based on user and entity behavior analysis (UEBA) and correlation across dissimilar data sources that finds threats without manual threat-hunting
Siloed data across applications that needs to be analyzed independently	Approach where data is correlated across unlinked sources for the purpose of detection
Unidimensional analysis	Multidimensional analysis using machine learning and artificial intelligence to detect threats and deviations from the baseline and moving towards predictive analysis
Can generate false positives and requires human analysis to eliminate false alerts	Uses advanced techniques to raise attention to actual threats focused on automating tasks
Requires identification, protection, detection, response and recovery to be independent functions	Allows for identification, protection, detection, response and recovery to be managed holistically from a centralized platform

Security Analytics: Inputs and Outputs

As security threats evolve, security standards and frameworks, such as NIST Cybersecurity Framework, have also evolved to counter them. This framework defines five major functions of an efficient cybersecurity strategy:

• Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. 
• Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
• Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
• Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
• Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

NIST Cybersecurity Framework main functions (NIST.gov)

When security professionals are able to detect threats at an early stage, they can counter-attack more quickly to prevent network infiltration, infrastructure compromise and data loss.

Example of the types of data ingested into a security analytics solutions

Security analytics solutions thrive on data and the more data points they have the better they function. Data is aggregated and then analyzed for suspicious patterns and behaviors. Sources and types of analytical data include: 

• Endpoint data
• Business applications
• Network systems and telemetry
• Identity and access data
• Virus and intrusion scanners
• Threat intelligence 
• Organizational data
• User and machine behavior data

These sources all generate logs in various formats that can be ingested by an analytics solution.  By combining and correlating multiple data feeds, organizations can now work with a single dataset or “source of truth”. This allows security professionals to centrally apply appropriate algorithms and create rapid searches that can identify early indicators of attack. Remarkably, machine learning technologies can even be used to perform threat and data analysis in near real-time.

Due to the diversity of data sources, security specialists typically use a platform that can gather and analyze data centrally, rather than examining logs in situ on individual systems. Centralized log management improves the efficiency of viewing and analyzing normalized logs from varied sources across systems.

Security Analytics Usage & Advantages

Security analytic processes are generally more successful and easier to implement when data sources are graded for both risk and value. This allows the selection of protective technologies and processes to be based on the resource itself.

Security analytic components

A common challenge for many organizations is managing the security risks associated with multi-cloud and hybrid-cloud environments. By using a security analytics approach, the lack of infrastructure visibility and the difficulty of managing complex data often associated with the cloud can be overcome. For example:

• Connecting data silos: A security analytics tool allows trusted users to run custom queries across different data formats and systems to generate security intelligence. As such, security teams can now access quality, timely data that enables them to conduct informed decision making.
• Incident response automation: In a hybrid cloud environment, it is important to automate as many threat identification and mitigation tasks as possible through orchestration workflows. Automating tasks helps reduce the workload on day-to-day security processes, allowing administrators to focus on higher priority tasks, such as threat research and forensic investigation.
• Access to a unified interface: Security teams often face the challenge of having to use too many security tools, making it difficult to maintain a more holistic view. By using unified interfaces, security analytics allows administrators to manage their operations centrally and simplistically. This single interface also increases efficiency and response precision.

Security analytics allows for a more proactive security posture, improved visibility across systems, and improved incident management by detecting threats earlier, aggregating data from multiple sources, and making patterns emerge. More than that, security analytics also contributes to maintaining regulatory compliance with government and industry regulations, such as HIPAA, PCI-DSS and GDPR. It does so by monitoring access, user behavior and authentication, allowing for better detection of non-compliance. Security analytics also provides greater insight into security incidents by providing forensic, type and origin-of-attack information which helps prevent similar incidents in the future.

Security Analytics – Use Cases

Security analytics provides many versatile capabilities that range from improving network visibility to employee monitoring and threat detection. Due to their flexibility, security analytics tools have many use cases – here are some examples:

• Threat research – To stay ahead of hackers, security teams must proactively look for breach indicators, behaviors, and other emergent threats. Security analytics can automate this process through behavior analysis and identify otherwise hard-to-spot malware
• Detecting insider threats – As insiders often have access to sensitive data and systems, they can actually pose more of a significant threat than external actors. Security scanning detects malicious insiders by analyzing unusual login times, unauthorized database queries, abnormal email usage and discovers data theft indicators. For example, a successful login after a series of failed logins attempts will typically generate an alert as this could indicate a malicious act. Any successful login after a set of failed attempts might constitute a data point that a security analytics setup would correlate with other indicators and data points to detect major pattern deviations.
• Unauthorized data access – Unauthorized movement of data into or out of your network may indicate data loss or theft. Security scanning helps prevent data leaving your organization – something that often escapes traditional data loss prevention solutions. It can even detect data loss inside encrypted communications. A data download can be a trigger after which a security analytics environment would raise a red flag, if it happens after a failed-then-successful login attempt. These data points might indicate a suspicious activity which would not be detected by a classic DLP tool alone.
• Cloud security oversight – While cloud accelerates digital transformation and streamlines operations, it also creates new cybersecurity challenges by increasing the attack surface and opens new vulnerabilities. Security analytics can monitor cloud applications and on-premise sources alike, look for threats across the entire landscape
• Network traffic analysis – Network traffic is constant, substantial and dynamic. As a result, security analysts can struggle to maintain visibility into each session and transaction. Security analytics provides a window into your entire traffic stream, allowing the analysis and detection of anomalies while integrating into other cloud security tools. For example, a spike in traffic at an unusual time, or multiple rejected connection requests, might indicate an attack

Security Analytics – Getting started

Applying security analytics to strengthen your security program requires investment in tools, processes, and people. Each analytics technology is quite different from the other, which leads to a requirement for good training and staffing. Without appropriate ability or experience, subsequent misconfiguration or misuse of these tools could result in false alerts and corrective efforts that nullify their benefit.

A good starting point is to build upon any pre-existing capability or experience in your organization. As a recommendation, you should: 

• Set clear objectives for your security program that support the larger organizational mission and begin a discovery process to find any technical shortcomings or gaps. For example, it could be the case that different components within a network’s logs are not being correlated to detect patterns, or a tool’s inability to automatically respond during an event.
• List the required features and capabilities and audit for gaps against solutions already in use
• Evaluate potential solutions that could fill these gaps and augment, or replace, existing tools for a full featured solution set fulfilling all requirements
• Leverage risk assessment and asset classification frameworks to identify critical assets and resources. These assets should be prioritized in the security analytics dashboard to allow analysts to perform appropriate decision making

As an example, your goal may be to detect insider threats to the organization. Data exfiltration might be identified as a gap, so you should search for solutions that differentiate between data leak traffic and normal traffic. This way you’re able to maximize the potential of Security Analytics through the correlation of data flow logs with existing data log points within the platform.

Some examples of popular security analytics solutions that you may wish to research include: 

• Devo Security Analytics Solutions – Cloud-native security analytics tool providing full visibility into any data source or type, whether on-prem or cloud, in a single pane of glass. Enables security analytics across 400 days of hot data.
• SolarWinds Security Event Manager – Security analytics tool providing automated incident response, cyberthreat intelligence, and compliance reporting in a unified dashboard
• DataDog – Initially a cloud monitoring specialist, their security analytics tool aggregates metrics and events across a full DevOps stacks and integrates with many cloud platforms

Defining the selection criteria for a solution that meets all of your needs is not always easy. If in doubt, bare the following tips in mind:

• Ensure that the the solution matches your environment and architecture goals
• Ensure that its features and capabilities meet your specific needs, expectations and technologies
• Check that the vendor has a good track record for long-term support and documentation 
• Investigate the deployment process and ease of on going maintenance
• Ensure the vendor solution is easy to use and intuitive to integrate with your processes
• Assess whether solution represents good value for money

Conclusion

As attack surfaces increase and threat environments become more complex, organizations face new obstacles to preserving their safety, upholding their security and preventing cyber incidents. By correctly aggregating, correlating, and analyzing data, security analytics can act as a bulldozer to these obstacles and provide a level of threat visibility and defense not previously available.