Security Analytics – Finding a Needle in a Haystack

Security is foundational and critical to connectivity and the Internet of Things. With hundreds and thousands of IoT transactions getting executed every second, keeping the communication, infrastructure and customer data secure is a herculean task indeed. Security Analytics is gaining momentum to meet this need. Security Analytics is the combination of techniques that determine some security outcome characterized by a confidence factor by analyzing various sources of data. Until the point of technology’s maturity, information security experts will have to weigh in the output of security analytics tools for further action.

 

Security Information and Event Management

Security Information and Event Management (SIEM) refers to products and services that provide real-time insights into security related events and alerts. SIEM focusses on aggregating data from various sources such as web logs, network logs, firewall, etc. SIEM performs correlations and reacts to the security alerts raised. It also supports compliance requirements and SIEM vendors are expanding the breadth of services for more predictive analytics.

 

User Behavioral Analytics

Another buzz in the security analytics space is “User Behavioral Analytics” (UBA). While SIEM focuses on events and alerts, UBA takes a different approach by focusing on the user behavior.  Using user behavior data to perform customer segmentation, upselling and targeted campaigns have attained their maturity. However, UBA in this context, focuses on using the user behavior data to get some intelligence for some security outcome. UBA, in general, refers to a concept and it could be a product or custom developed solution to solving a problem. At the crux of it, UBA first establishes the baseline of “normal” behavior of a user by mining and analyzing hundreds and thousands of log records. Once the baseline of a “normal” user behavior is established, any deviation from the normalcy for that user is identified and tagged as anomalous activity for further analysis. Some of the common use cases are,

  • Tagging a user who logs in to perform a transaction on Sunday that is quite deviant to his/her normal behavior.
  • A user performing thousands of “Delete” operations of unusual to the user profile.

The anomalous activity is then evaluated for the risk by analyzing the impact and probability. The analytics that powers the intelligence is usually through supervised machine learning and statistical modeling. Overall, UBA helps in identifying compromised account, employee sabotage, privacy breaches, shared account abuse etc.

 

Factors

The response time to identify and alert the anomalous activity determines the success of UBA. In a large enterprise, to aggregate and correlate weblogs and other event logs from multiple systems to establish a continuous refined baseline of a normal behavior of a user or group of users can be daunting. Typically, enterprises have tens and hundreds of batch jobs that do the log management and often it ends up in the archive server. In order to continuously establish a baseline of a normal user behavior, integration with a SIEM or various data sources directly is the first step. Secondly, the big data environment must have tools and products that can support stream analytics of high velocities of data. Last but not the least, supervised machine learning algorithms that can perform continuous classification and detect outliers on a real-time basis. Any product you choose must address these three aspects, whether it is on premise or cloud based. The challenge with Cloud based UBA products is the age-old concern of the data leaving the premise, especially system logs that can hold sensitive content. However, the infrastructure that you require to perform the analytics of massive scale of data might outweigh and quality Cloud-based delivery of UBA.

 

Conclusion

For the data to move up the value chain from information to intelligence, analytics is the answer, if performed at the right time. Any intelligence derived that is actionable to address security breach proactively provides mutli-fold returns on investment on the product or solution you chose for Security Analytics.

One thought on “Security Analytics – Finding a Needle in a Haystack”

  1. Hi Mohan, what SIEM do you use ? We use Secnology. UBA is a nice concept except if it generates more false positives. Can’t beat a seasoned Security expert with decent SIEM.

Leave a Reply