What is Cyber Security Analytics?
Cyber security analytics is an approach to security monitoring that leverages big data and machine learning / analytics to normalize and analyze network traffic for threat behavior detection. Using full fidelity, un-sampled network data, such as NetFlow and network packet data, monitored network traffic can be used to identify indicators of compromise before a threat causes significant damage to the enterprise. Cyber security analytics leverage behavioral analytics and machine learning to continuously identifying changes in usage patterns that could indicate threats. By identifying threats that bypass perimeter security measures sooner, you can reduce risk to your enterprise.
What are typical security analytics use cases?
Cyber security analytics transforms your network data into actionable security intelligence. By leveraging threat intelligence and security analytics, you can look for changes in value over time. Cyber security analytics can identify threat such as:
- Data Exfiltration. Data routinely moves in and out of your network, but unusually high volumes of data leaving the borders of the network—especially sensitive data—needs to be investigated immediately.
- Scans. Unusual or increased scanning behavior on the network could indicate that your systems have been compromised and you need to find and stop the perpetrators fast. Scanning for open and available services is a common reconnaissance technique used by hackers who have found a way to infiltrate your network. Worms often resort to random scanning to find other systems to penetrate.
- New Clients and Servers. There are lots of servers and clients on your network—and companies add new ones all the time. However, rogue servers on the network and unexpected clients communicating with those servers could be a sign that something is wrong. A new, unknown file server on your network could be a sign that someone is trying to exfiltrate information. A new SubSeven/Back Orifice/SVN server could indicate a backdoor used by a hacker.
- Volume-based Activity. Unusual increases in network traffic and connections on a continuous basis could represent an amplification, SYN flood, smurf/fraggle, slow loris, Christmas tree, LAND, IP/TCP NULL, or other attacks. These traffic patterns signal a potential in-progress DDoS attack that could take down your systems, so you need to be able to detect, classify, and mitigate them fast.
What are the benefits of cyber security analytics?
Security analytics tools provide organizations with several key benefits:
- Speed the incident identification and investigation process, curbing the impact of cyber-attacks.
- Comprehensive alerting. The added context and threat intelligence of security analytics provides security analysts with wide-ranging information with which to act decisively.
- Detect zero-day threats, advanced threats, and recurring threats.
- Monitor insider threats as well as external. Not all bad guys are external actors. Insiders – employees, contractors, partners – are responsible for 50% of breaches, whether deliberate acts or just negligence.