The old adage ‘what you don’t know can’t hurt you’ could not be further from the truth when it comes to IT security. Optimising data to address IT security threats is far from new. However, the growing number of endpoints and increasing sophistication of cyber threats make this task more daunting than ever.
A big portion of information security efforts within an organisation are focused on monitoring and analysing data from servers, networks and numerous devices.
However, the data deluge and sheer volume of cyber-attacks are making it challenging for security teams to get a complete and accurate view of the risks that their organisations are facing.
Typically, organisations employ security information and event management (SIEM) tools to help them get a better handle on aggregating and analysing logs and events within enterprise networks. As businesses seek to gain more insight into network traffic and user activity they are pushed to look for tools that can bring them deeper analytics they can use to enhance their security strategies.
The reality is that there’s just simply too much information to collect, organise and analyse. And, traditional SIEM tools have limited capabilities to capture these data and figure out what may be relevant to enterprise security.
“SIEM solutions absorb machine data generated from your security devices, infrastructure, servers and clients and based on these, run a set of rules or instructions on what is recognised as a security incident,” explains Nicolai Solling, CTO, Help AG “This could be anything from an alert saying that a client was not able to update its Anti-Virus engine to a more serious alert indicating attack. However, the issue with SIEM is that many of its capabilities are based on events received from the deployed platforms. And, if the configuration is not done properly, security teams may miss out on very important events.”
Lushen Padayachi, head, BT Security, Middle East and Africa, says SIEM provides a holistic view of the organisation’s overall cybersecurity. “The main principle is to produce security information across platforms, making it easier to spot trends and prevent future cyber-attacks.”
He then explains that security data analytics, on the other hand, takes the approach one step further. “Security data analytics provide in-depth analysis to improve detection through collecting, storing and analysing huge amounts of security data from across the whole organisation and the wider security landscape in real-time,” he says.
Security data analytics solutions help enterprises detect and prioritise threats, formulate responses and iterate against potential attacks. While the solution seems an easy one, it is not a one-size-fits-all approach. Security teams should consider the type of monitoring that would be most appropriate and then select tools to match.
“There are many elements security teams need to consider,” says Solling. “You need to consider your platform and architecture in your network. Most data analytics platforms are based on receiving raw packet-captures from within the infrastructure and then applying some form of algorithm or even artificial intelligence to identify threats. This means the placement of the devices becomes extremely important.”
He adds that other solutions tend to base the learning on the flow of information, which can be created in multiple devices in the network such as firewalls, routers and even user switches and wireless access points. “Security analytics should be treated in three integrated sections,” he adds, “the capture of critical information from a large number of events generated by security devices such as firewalls like IPS; feeding this information to security controls; and finally learning from shortcomings to mitigate future threats. A comprehensive security analytics solution must, therefore, incorporate each of these segments to be of value to the organisation.”
More and more organisations are finding that since data security analytics is a maturing domain, they don’t have the significant workforce to perform the relevant processes it requires. Moreover, the complexity of the attacks is increasing much faster than they can train and hire the talent and resources to respond to them.
A key challenge faced by security teams is the bottleneck caused by too much work being loaded onto too few people. In many IT departments, a large portion of the security team’s time is spent on day-to-day activities rather than longer term strategies. This challenge is becoming even more acute due to a widespread shortage of people with the required security skills.
Much of the problem stems from the fact that, in many instances, security analysis is still a manual activity. Security teams gather information from a wide variety of sources and then use a series of manual tools to look for problems. For some teams, there are simply too many security alerts coming in to allow efficient and effective analysis of them all.
“One of the main concerns that organisations are facing is the talent shortage in the region,” says Padayachi. “Emerging technologies such like IoT, hybrid cloud, blockchain, security data analytics and more, require specialised training of individuals to ensure the effectiveness of these technologies. There are multiple solutions to this issue, among which, is educating and training individuals in cybersecurity. Secondly, organisations should also consider automating a few of their security tools, as it eliminates the need for human intervention and provides fast reaction.”
In addition, Solling raises the issue that few, if any, end-user organisations have in-house IT teams that can deploy and managing security analytics. “This is why at Help AG, we have a dedicated Cyber Security Analysis division offering essential security services, which can be instrumental for uncovering security vulnerabilities that would otherwise go unnoticed,” he says.
Security analytics also plays a crucial role in helping business leaders understand the importance of investing in security, according to Arthur Dell, director, Technology Sales and Services, Citrix. “This is especially the case in an era where enterprises, looking to improve productivity, are rapidly adopting a variety of new paradigms such as bring your own device (BYOD), SaaS applications, and public clouds. The advent of such technology has brought with it a host of challenges. Tools like Citrix Analytics can be instrumental for organisations to access and analyse behaviour, application, data usage behaviour and network traffic behaviour including the ability to tap into encrypted traffic. If risky user activities are identified, granular policy controls can be employed to mitigate the threat or stop it entirely. When such benefits are communicated to senior executives clearly, the case for prioritising security technology becomes difficult for them to ignore, which in turn could lead to investment towards analytics for the sake of their company’s cyber hygiene.”