Transcription
E-guideSecurity Analysis &Analytics ToolsBuyer’s GuideYou expert guide to security analysis and analytics tools
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseIntroduction to security analytics tools inthe enterpriseDan SullivanThree reasons to deploysecurity analytics software inthe enterpriseExpert Dan Sullivan explains how security analysis and analyticstools work, and how they provide enterprises with valuableinformation about impending attacks or threats.Six criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industryBusinesses are responding to the growing sophistication and number ofinformation security threats by deploying tools that extend the capabilities oftheir current security infrastructures. For smaller companies, this meansdeploying deeper network defenses and endpoint protections. For large andmidsize enterprises, however, it means deploying security analysis tools andanalytics software to collect, filter, integrate and link diverse types of securityevent information in order to gain a more comprehensive view of the security oftheir infrastructure.These types of security applications go beyond traditional security informationand event management (SIEM) tools to incorporate additional data and applymore in-depth analysis. Consequently, they correlate events occurring ondifferent platforms to detect suspicious patterns of activity that span multipledevices.Page 1 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industrySecurity analytics tools are not meant to replace existing security controls andapplications, but rather complement them. In fact, security analytics toolsanalyze log and event data from applications, endpoint controls and networkdefenses.The need for security analytics toolsThe 2013 Data Breach Investigations Report from Verizon found that 84% ofsuccessful attacks on IT infrastructures compromised their targets within hours,while 74% of attacks were not discovered for weeks -- and sometimes monthsor years. One of the reasons it is so challenging to detect attacks is they happenquickly. In addition, data indicating an attack is often dispersed across networkdevices, servers, application logs and endpoints.This makes it difficult to analyze a breach in progress and even hinders theability to assess its impact. Furthermore, according to a Ponenom Institutereport, 55% of survey respondents that experienced a data loss could notidentify for certain what data was stolen. Improving the speed of detection andanalyzing the impact of an attack are key drivers to adopting security analysisand analytics.Page 2 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industryHow security analytics tools workSecurity analytics tools help organizations implement real-time monitoring ofservers, endpoints and network traffic, consolidate and coordinate diverse eventdata from application and network logs, and perform forensic analysis to betterunderstand attack methods and system vulnerabilities. Taken together, thesefunctions help security professionals assess how systems were compromised,which systems were affected and if an attack is still underway.This is just a subset of the types of analyses used for predictive and prescriptiveanalytics. In addition, different vendors are likely to provide a variety ofalgorithms supporting each of the different methods.Security analysis tools do this by providing several broad services to meet theneeds of security professionals. These include continuous monitoring, malwaredetection, incident detection and data loss reporting.If a security breach or threat is detected, security analytics software can help bycollecting network, log and endpoint data. This enables timeline and sessionanalysis that can shed light on how the breach occurred and what systems wereaffected.Page 3 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industryCommon analysis tool featuresA number of features are common to security analytics software. Thesesystems gather data from server and application logs, endpoint devices,network packets and NetFlows. In addition, they include advanced analyticcapabilities with regards to the packet and NetFlow analysis, as well as eventcorrelation.Expect to see analytic methods based on both rules as well as statistical ormachine learning-derived analysis. A statistics-based method might detectanomalous behavior, such as higher-than-normal traffic between a server and adesktop, for example. This could indicate a suspicious data dump. In othercases, a machine learning-based classifier might detect patterns of traffic that'spreviously been seen with a particular piece of malware.Security analytics tools also offer a single point of access to event data. Theconsolidated view is useful for implementing features -- such as timelinereconstruction and forensic analysis -- that support workflows for securityanalysts. They usually offer tools for compliance reporting, as well. And sincevisualization methods are almost always required for any complex analysis,expect to see those included in any security analytics product worthconsidering.Page 4 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityOne of the most important aspects of security analytics software is integratingdata from different devices and applications, as a single data source mayprovide insufficient information to understand an attack. For example, a securityanalyst may need to synchronize network packet data with application log dataand endpoint device data to get a comprehensive picture of the steps used toexecute an attack.Support for regulatory compliance is another common feature in securityanalytics tools, as it is important to be able to demonstrate that proper securitycontrols are in place, functioning and -- most importantly -- being used tomitigate the risk of breaches.analytics softwareComparing the top securityanalytics tools in the industryDeploying analytics and analysis toolsSecurity analytics tools are deployed as software, virtual appliances orhardware appliances.A dedicated hardware appliance is an appropriate choice for high-trafficnetworks. Vendors can tailor the hardware and software configuration to thedemands of security analytics. These include the need to process large volumesof network traffic -- steadily receiving high volumes of log data -- and to applycomputationally intensive analytic methods to that data.Page 5 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industrySoftware and virtual appliances are options when security analytics tools areinstalled and deployed on existing company hardware that is sufficientlypowerful enough to keep pace with the load. These options are well-suited tocases where organizations have the available server capacity to host a securityanalysis system, and are reasonably confident that they have the computationalpower in place to scale the deployment to meet any potential increases in loadEvaluation and costsWhen evaluating security analytics tools, it is important to consider not just theiranalytic capabilities, but scalability and availability as well. Companies mustanticipate the need to scale these implementations as traffic increases. Also,consider the need for high availability. If the security analytics platform is downfor even a short time, informative events in an attack may be missed.Cost is also a factor. Hard costs will include software licensing, hardware andtraining. Security analytics tools collect and preprocess data, but humanjudgment is still required to interpret the data.It would also be prudent to take advantage of training from vendors to get themost out of a security analysis tool and to learn best practices from moreexperienced practitioners. A few crucial tips on how to efficiently filter data orcreate an insightful visualization could be well worth the time spent in training.Page 6 of 36
E-guideIn this e-guideBe sure to anticipate harder-to-quantify costs, such as learning how to performforensic analysis with the new tools and configuring the tools to collect datafrom existing security applications.Introduction to security analyticstools in the enterpriseThe need for security analytics tools is growingThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securitySecurity analytics tools are becoming important as automated securitymeasures such as antimalware and vulnerability scanning are becomingincreasingly challenged by emerging threats. These applications complement,they do not replace, existing security controls, however.analytics softwareComparing the top securityanalytics tools in the industryThe purpose of security analytics is to detect attacks as fast as possible, enableIT professionals to block or stop an attack and provide detailed information toreconstruct an attack. They do this by collecting, correlating and analyzing awide range of data. These tools also provide analysis environments for forensicevaluations and attack reconstructions. That way companies can study themethods used and vulnerabilities exploited to breach their systems and addressweaknesses. Support for regulatory compliance is another common feature.Stay tuned for the next article in this series, which will examine the mostcommon deployment scenarios and the types of companies that would benefitthe most (and least) from the technology. It will also outline how IT departmentscan make the business case for implementing advanced security analytics toexecutive management.Page 7 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industryPage 8 of 36Next article
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploy security analyticssoftware in the enterpriseDan SullivanThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industryExpert Dan Sullivan outlines three use case scenarios for securityanalytics tools and explains how they can benefit the enterprise.If there were any doubts about the sophistication of today's cyberthreats, the2014 attacks on Sony Corporation put them to rest. On November 22, 2014,attackers hacked the Sony network and left some employees with compromisedcomputers displaying skulls on their screens, along with threats to exposeinformation stolen from the company. Sony, by all accounts, was the subject ofan advanced persistent threat attack using exploits that would havecompromised the majority of security access controls.The scope of the attack forced employees to work with pen, paper and faxmachines, while others dealt with the repercussions of the release ofembarrassing emails. The coverage around the Sony breach may rightly leavemany organizations wondering if their networks are sufficiently protected and -of particular interest here -- whether security analytics software and tools couldhelp them avoid the fate of Sony.Page 9 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseThe short answer is, yes. Just about any business or organization with asubstantial number of devices -- including desktops, mobile devices, serversand routers -- can benefit from security analytics software.It is important to collect as much useful data as possible to supply the securityanalytics tool with the raw data it needs to detect events and alertadministrators. So before deploying a security analytics tool, it helps tounderstand how such a product will fit within an organization's other securitycontrols and the gaps it will help fill in typical IT security use cases.Six criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industryComplianceCompliance is becoming a key driver of security requirements for morebusinesses. In addition to government and industry regulations, businesses areimplementing their own security policies and procedures. To ensure theseregulations, policies and procedures are implemented as intended, it isimperative to verify compliance. This is not a trivial endeavor.Consider for a moment how many different security controls may be needed toimplement a network security policy that is compliant with various regulationsand security standards. For instance, antimalware systems might scan networktraffic while endpoint antimalware operates on individual devices. Then thereare firewalls, which are deployed with various configurations depending on thetype of traffic allowed on the sub-network or server hosting the firewall. IdentityPage 10 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securitymanagement systems, Active Directory and LDAP servers -- meanwhile --- logsignificant events, such as login failures and changes in authorizations. Inaddition to these core security controls, an enterprise may have to collectapplication-specific information from other logs. For example, if a salespersondownloads an unusually large volume of data from the customer relationmanagement (CRM) system, the organization would want to know.When companies have a small number of servers and a relatively simplenetwork infrastructure, it may be possible to manually review logs. However, asthe number of servers and complexity of the network grows, it is more importantto automate log processing.analytics softwareComparing the top securityanalytics tools in the industrySystem administrators routinely write shell scripts to process files and filter data.In theory, they should be able to write scripts in awk, Perl, Ruby or some otherscripting language to collect logs, extract data and generate summaries andalerts. But how much time should system administrators invest in these tasks?If they write a basic script that works for a specific log, it may not easilygeneralize to other uses. If they want a more generalized script, it will likely takelonger to write and thoroughly test. This presents significant opportunity costsfor system administrators who could better spend their time on issues moreclosely linked to business operations.This is not to imply that the functionality provided by these scripts is notimportant -- it is very important, especially when it comes to the kind of dataPage 11 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseSix criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industryrequired for compliance. The question is how to most efficiently and reliablycollect log data, integrate multiple data sets and derive information that can helpadmins make decisions about how to proceed in the face of potentially adverseevents.Security analysis tools are designed to collect a wide variety of data types, butthere is much more to security analytics than copying log files. Data fromdifferent applications and servers has to be integrated so organizations canview a unified timeline of events across devices, for example. In addition, thesesolutions include reporting tools that are designed to help admins focus on themost important data without being overwhelmed with less useful detail. So, in anutshell, the economic incentive of security analytics vendors is to providesolutions that generalize and relieve customers of the burden of initialdevelopment and continued maintenance.Security event detection and remediationThe term "connecting the dots" is often used in security and intelligencediscussions as a metaphor for linking-related -- but not obviously connected -pieces of information. Security expert Bruce Schneier wrote a succinct post onwhy this is a poor metaphor: In real life the "dots" and their relation to eachother is apparent only in hindsight; security analytics tools do not have mysticalPage 12 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterprisepowers that allow them to discern forthcoming attacks or to "connect the dots"auto-magically.A better metaphor is "finding needles in a haystack," where needles aresignificant security events and haystacks are logs, network packet and otherdata about the state of a network. Security analytics tools, at a minimum, shouldbe able to alert organizations to significant events. These are defined by rules,such as a trigger that alerts the organization to failed login attempts toadministrator accounts or when an FTP job is run on the database serveroutside of normal export schedules.Six criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industrySingle, isolated events often do not tell the whole story. Attacks can entailmultiple steps, from sending phishing lures to downloading malware andprobing the network. Data on these events could show up in multiple logs overan extended period of time. Consequently, finding correlated events can be verychallenging, but it is something security analytics software can help with. It isimportant to emphasize that security analytics researchers have not perfectedmethods for detecting correlated events, however. Organizations will almostcertainly get false positives and miss some true positives.These tools can help reduce the time and effort required to collect, filter andanalyze event data, though. Given the speed at which attacks can occur, anytool that reduces detection and remediation time should be welcomed.Page 13 of 36
E-guideIn this e-guideIntroduction to security analyticstools in the enterpriseThree reasons to deploysecurity analytics software inthe enterpriseForensicsIn some ways, computer forensics -- the discipline of collecting evidence in theaftermath of a crime or other event -- is the art of exploiting hindsight. Even incases where attacks are successful and data is stolen or systemscompromised, an enterprise may be able to learn how to block future attacksthrough forensics. For example, forensic analysis may reveal vulnerabilities inan organization’s network or desktop security controls they did not knowexisted.Six criteria for procuring securityanalytics softwareComparing the top securityanalytics tools in the industrySecurity analytics tools are useful for forensic analysis because they collectdata from multiple sources and can provide a history of events before an attackthrough the post-attack period. For example, an enterprise may be able todetermine how an attacker initially penetrated its systems. Was it a
analytics tools, as it is important to be able to demonstrate that proper security controls are in place, functioning and -- most importantly -- being used to mitigate the risk of breaches. Deploying analytics and analysis tools Security analytics
