When introduced to the idea of security analytics, most people feel as though they intuitively ‘get it.’
After all, what’s not to like about detailed intelligence that helps you keep your organization safe?
But even several months after implementing a security analytics solution, it’s often hard for organizations to see what improvements have been made. They know all about the latest threats, events and headlines, but their day-to-day operations seem pretty much unchanged.
But knowing and doing aren’t the same thing. It’s not enough to simply have detailed security analytics; you have to use them to improve your organization’s security program.
Just One Part of the Puzzle
The first thing to keep in mind is that security analytics are only one element of your wider security program. Intelligence alone won’t keep your organization safe, and you must have the capability to carry out both proactive and reactive security measures.
On a similar note, having security analytics is not an excuse to ignore good security hygiene. Ongoing improvement initiatives such as vulnerability management are an essential part of your organization’s security program, and should be conducted independently of your security analytics collection.
Sure, sometimes you’ll find intelligence that can be used to improve these ‘business as usual’ security processes, but for the most part they should just continue in the background.
But most importantly, you must realize that unexpected things will happen.
If you’re placing too much of an emphasis on security analytics, you won’t be prepared to deal with the unexpected, and your response will likely be slow and cumbersome. After all, you had no intelligence to suggest that this threat was coming, so how can you be expected to resolve it?
A well developed security program is equipped to deal with the unexpected. Sure, it helps if you have an early warning, or you’ve analyzed previous similar threats, but in the end you have to be able to deliver in the absence of these advantages.
Security Analytics Drive Action
Let’s assume you have a great security program. You assets are well protected and maintained, and you have the resource available to conduct proactive security projects.
So what should you be looking to achieve with your security analytics? In a word: Action.
As we discussed in the first article of this series, there is a huge difference between data and analytics. If your security analytics don’t improve the security of your organization, they’re a waste of time and resources.
Broadly speaking, there are two situations in which security analytics can lead to direct action:
1) Specific events or risks
Twitter chat before a bomb scare. Adversary chatter before a distributed denial of service (DDoS) attack. Suspicious activity reports before a fire.
Security analytics help organizations all over the world respond to serious and imminent threats every day, and your organization should be among them. As the saying goes, an ounce of prevention is worth a pound of cure, and that’s certainly true where threats are concerned.
Whether you’re a school discovering bullying incidents via Twitter or a financial institution using honeypots to identify potential insider threats, security analytics can help you predict and prevent catastrophic events.
And even if you can’t completely prevent a threat, security analytics can help you spot it early and minimize the damage. Analytics from network telemetry, for example, could help you spot the early stages of a DDoS attack, and thereby avoid a costly and embarrassing outage.
Just because no specific threats are looming, doesn’t mean you can rest on your laurels.
Most of your security analytics won’t relate to a specific and imminent threat, but they can still lead to direct and highly beneficial action. In particular, keeping abreast of the latest threat actors and security trends will help you allocate your discretionary security budget in a sensible and productive way.
Threat actor tactics, techniques and procedures (TTPs) and bulk indicators of compromise (IOCs) are some of the most important trends to pay attention to.
Take, for instance, the massive rise in ransomware attacks. Having a detailed understanding of how threat actors perpetrate their campaigns will dramatically improve both the effectiveness of your employee security awareness programs and your ability to filter the vast majority of phishing emails.
There’s Still Room for Learning
But just because we say security analytics should drive action, doesn’t mean it has to be direct action. After all, analytics systems such as our own Haystax Analytics Platform™ are tremendous learning tools.
Of course, we’re not talking about learning for learning’s sake. We’re talking about learning that can be used to inform your security program at a much broader level than we’ve discussed so far.
Here are some of the valuable lessons you can learn from security analytics:
1) What’s normal?
Carefully studying security analytics over time can help you figure out what ‘normal’ is for your organization. You’ll find consistent patterns in everything from network telemetry to employee behavior, and any event that doesn’t fit inside these patterns can be considered ‘suspicious’.
Anomalies happen, of course, and most of the time they mean nothing, but an established baseline is an extremely valuable security tool.
2) Learn from the mistakes of others
This is perhaps the single most obvious use for security analytics that seemingly nobody is doing.
From the TalkTalk debacle to the multitude of social media hacking incidents, organizations all over the world have appeared blindly unaware of the risks they faced until after the worst had happened. Come to think of it, TalkTalk hadn’t even managed to learn from their own mistake a year previously…
Whether you’re providing an emergency service or trying to protect your organization’s data or IP, using your security analytics platform to help you understand past (or current) events will dramatically improve your ability to plan for the future.
Sure, it’s easier to say ‘That could never happen to us.’ But in an increasingly connected and turbulent world, that simply isn’t true.
3) Discover what’s out there
A lot of the time organizations become so focused on what could happen, they forget to consider that something might have happened already.
This is particularly relevant to cybersecurity, where according to the 2016 M-Trends report organizations are still taking an average of 146 days to detect network breaches. To put that in context, the average organization spends 145 days in blissful ignorance that its network has been breached and sensitive data stolen.
There have been many cases where the first indication of a breach has been a huge dump of sensitive data on the open web. It happened to the FBI, and it can happen to your organization.
Clearly it’s always best to prevent breaches from happening, but if they do happen you’ll want to know as soon as possible. Security analytics platforms can be programmed to routinely check common online dumping grounds for stolen data and if past experience teaches us anything, it’s that this might well be the first you know about it.
Don’t forget, even Edward Snowden had to tell the US government what he’d done.
One Thing at a Time
Information overload is far and away the biggest barrier to effective security analytics. If you try to act on every piece of intelligence simultaneously, you’ll end up achieving next to nothing.
And in order to avoid the analysis paralysis and information overload that comes with massive amounts of data, you’ll need to prioritize.
Like it or not, you cannot improve all security functions simultaneously simply because your analytics suggest it’s a good idea.
Just like any other improvement program, you’ll need to systematically identify the next most important task and stick with it until it’s complete. It might not sound very glamorous, but it’s been proven to work time and time again.