Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


What is Security Analytics? Guide for the Non-Analytical

Data Security

Security analytics is the practice of analyzing raw security data to discover preemptive and actionable security measures to increase cybersecurity. It’s not necessarily a particular technique, but certainly involves aggregating data from many possible sources: event logs from operating systems, firewalls, routers,  virus scanners,and more. And then combining or correlating them to produce a cleaner data set that can then be processed with appropriate algorithms.

Table of Contents

Security Analytics Defined and Explained

The hard part, of course, is finding within the proverbial data haystack  current active threats and then being able to zoom in to block or come up with an appropriate response. In order to do this right, the type of analysis and the particular events you focus on matter greatly.

That’s security analytics at the very high level.

Let’s talk about Security Information and Event Management or SIEM.  It’s really what I described at  above: processing event logs primarily from operating systems, networks devices, and other security tools, combining them together and then applying  basic statistical analytics so that the raw data can then can be interpreted by humans.

To get a sense of what it looks like dealing with low-level event logs, you can take a peek at Windows operating system events through the Windows Event Viewer (below) on your own laptops.

The nitty gritty of low-level Windows events. It ain’t pretty!

Within Event Viewer, you can scroll through thousands or even tens of thousands of system and security events — process startups, process terminations, account lockouts, PowerShell commands executed, etc. Now imagine what SIEM has to do: combining and then finding relationships between these operating system events, and the events captured from network devices and other security systems, and then making some sense out of it!

As a small example, suppose you wanted to detect the deletion of an important file. Perhaps this deletion, when correlated with other activity, may indicate an attack. To an IT person who is not familiar with SIEM, it would appear to be very simple to accomplish: just search the Windows event logs and look for a deletion event associated with that file.

Oh no! A Windows delete event (event id 4600) does not refer to the file path name being deleted!

Unfortunately, if you look at a Windows file delete event, it’s missing one critical piece of information: the file name!

How do you determine the file name associated with a Windows delete event?

SIEM vs. Security Analytics

This ain’t easy because this information is spread out across multiple log entries.  You’d have to correlate the delete event 4660 with another event, the “access object” event 4663. In practice, you’d create a search for matching on 4660 and 4663 events, and then combine information from both events to derive a more user-friendly log entry.

And by the way, turning on file auditing on Windows, in order to generate Windows file events like the ones capture above is especially resource intensive. There are, ahem, better solutions.

Even in this very simple example, you can see that SIEM is a complex, CPU-intensive process. As security analysts have also been pointing out, there are some fundamental limits to SIEM — at least the first generation of these products.

Security Analytics Use Cases

There are some very common use cases for security analytics, among the key ones are:

    • User Behavior Analytics (see below)
    • Detecting and classifying threats
    • Providing IT security with actionable information to reduce risk

Benefits of Security Analytics

Trying to find security incidents in raw event logs is inherently difficult, and SIEM tends towards too many inaccurate results.

This is where security analytics has major advantages over  SIEM: it’s far smarter about how it looks at the raw event data, as well showing the analytics in a far more useful way for IT to make better decisions.  This leads nicely to the next section on User Behavior Analytics.

What is User Behavior Analytics?

You can think of User Behavior Analytics or UBA as a more informed version of SIEM. Yes, like SIEM, it also relies on event logs. However UBA focuses on what the user is doing: apps launched, network activity, and, most critically files accessed (when the file or email was touched, who touched it, what was done with it and how frequently).

Organizing and collecting events on a user basis has a significant advantages over raw SIEM. Users have their own unique patterns of computer behaviors: certain  files accessed, or directories navigated. To find potential security incidents, UBA looks at the current event logs associated with each user, and then compare against a baseline history of what that user normally does.

So UBA is really SIEM with history and context, and it can find potential attacks whether the activities are coming from a hacker, insider, or even malware or even other processes.

If you’re thinking that some of the classification and prediction techniques of Big Data analysis — AI and machine learning — are appropriate for UBA, you’d be right. But whatever the exact method used, the analytics will establish a baseline from which it will be possible to predict what’s normal and what’s not.

To summarize, SIEM is a sensible approach for detecting attacks. But without context, actions based on SIEM-stats become less than reliable. We call these “false positives” when a SIEM system seems to indicate an alert when there isn’t. At some point, you end up continually chasing the same false leads, or, even worse, ignoring them all together — “dial-tone deaf”.

UBA reduces false positives by processing the event stream in terms of real human activities on computer systems, allowing its algorithms and rules to more accurately decide what’s unusual by comparing against a normalized base.

How to Visualize Security Analytics: Dashboards and Threat Models

UBA gives us cleaner data from which IT security staff should be able to make better decisions. But to make the data usable by humans, we need a visualization that an analysts  at a glance can see which users have been flagged for abnormal activities.

The top-level of the security dashboard. You can drill down and find more details about affected users and the threats they are under.

For example, for our own Varonis dashboard (above) we can easily see which users are under attack, the related devices, and then the threat models that are involved. Security analytics dashboards are multi-level GUIs, and  the a interface allows us to drill down and gather more information—say finding details on an alerted user by clicking on a user context card.

Obviously, a dashboard based on UBA is far more effective than working with the raw event logs!

This leads to a brief discussion of threat modeling, which is really a formal way of identifying and rating the potential threats and vulnerabilities. Mitre, MIT’s famed R&D lab, has a wonderful knowledge base of current threat models that’s worth your time.

The security analytics dashboard sits at the top of the event food chain. It’s the visual result of a processing chain that starts with UBA methods applied to raw events and ends with special algorithms, often based on machine learning, to find and categorize the data into various threat models. For example: unusual access to sensitive data, crypto activity detected, unusual user or group privilege changes, mass deletes, and more.

In fact, our own DatAlert product covers a wide range of threats models!  Want to learn more about how our own security analytics can help save you from looking at raw logs?  Sign up for a demo today!

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.