Security analytics is the practice of analyzing raw security data to discover preemptive and actionable security measures to increase cybersecurity. It’s not necessarily a particular technique, but certainly involves aggregating data from many possible sources: event logs from operating systems, firewalls, routers, virus scanners,and more. And then combining or correlating them to produce a cleaner data set that can then be processed with appropriate algorithms.
Table of Contents
Get the Free Pen Testing Active Directory Environments EBook
Security Analytics Defined and Explained
The hard part, of course, is finding within the proverbial data haystack current active threats and then being able to zoom in to block or come up with an appropriate response. In order to do this right, the type of analysis and the particular events you focus on matter greatly.
That’s security analytics at the very high level.
Let’s talk about Security Information and Event Management or SIEM. It’s really what I described at above: processing event logs primarily from operating systems, networks devices, and other security tools, combining them together and then applying basic statistical analytics so that the raw data can then can be interpreted by humans.
To get a sense of what it looks like dealing with low-level event logs, you can take a peek at Windows operating system events through the Windows Event Viewer (below) on your own laptops.
Within Event Viewer, you can scroll through thousands or even tens of thousands of system and security events — process startups, process terminations, account lockouts, PowerShell commands executed, etc. Now imagine what SIEM has to do: combining and then finding relationships between these operating system events, and the events captured from network devices and other security systems, and then making some sense out of it!
As a small example, suppose you wanted to detect the deletion of an important file. Perhaps this deletion, when correlated with other activity, may indicate an attack. To an IT person who is not familiar with SIEM, it would appear to be very simple to accomplish: just search the Windows event logs and look for a deletion event associated with that file.
Unfortunately, if you look at a Windows file delete event, it’s missing one critical piece of information: the file name!
How do you determine the file name associated with a Windows delete event?
SIEM vs. Security Analytics
This ain’t easy because this information is spread out across multiple log entries. You’d have to correlate the delete event 4660 with another event, the “access object” event 4663. In practice, you’d create a search for matching on 4660 and 4663 events, and then combine information from both events to derive a more user-friendly log entry.
And by the way, turning on file auditing on Windows, in order to generate Windows file events like the ones capture above is especially resource intensive. There are, ahem, better solutions.
Even in this very simple example, you can see that SIEM is a complex, CPU-intensive process. As security analysts have also been pointing out, there are some fundamental limits to SIEM — at least the first generation of these products.
Security Analytics Use Cases
There are some very common use cases for security analytics, among the key ones are:
- User Behavior Analytics (see below)
- Detecting and classifying threats
- Providing IT security with actionable information to reduce risk
Benefits of Security Analytics
Trying to find security incidents in raw event logs is inherently difficult, and SIEM tends towards too many inaccurate results.
This is where security analytics has major advantages over SIEM: it’s far smarter about how it looks at the raw event data, as well showing the analytics in a far more useful way for IT to make better decisions. This leads nicely to the next section on User Behavior Analytics.
What is User Behavior Analytics?
You can think of User Behavior Analytics or UBA as a more informed version of SIEM. Yes, like SIEM, it also relies on event logs. However UBA focuses on what the user is doing: apps launched, network activity, and, most critically files accessed (when the file or email was touched, who touched it, what was done with it and how frequently).
Organizing and collecting events on a user basis has a significant advantages over raw SIEM. Users have their own unique patterns of computer behaviors: certain files accessed, or directories navigated. To find potential security incidents, UBA looks at the current event logs associated with each user, and then compare against a baseline history of what that user normally does.
So UBA is really SIEM with history and context, and it can find potential attacks whether the activities are coming from a hacker, insider, or even malware or even other processes.
If you’re thinking that some of the classification and prediction techniques of Big Data analysis — AI and machine learning — are appropriate for UBA, you’d be right. But whatever the exact method used, the analytics will establish a baseline from which it will be possible to predict what’s normal and what’s not.
To summarize, SIEM is a sensible approach for detecting attacks. But without context, actions based on SIEM-stats become less than reliable. We call these “false positives” when a SIEM system seems to indicate an alert when there isn’t. At some point, you end up continually chasing the same false leads, or, even worse, ignoring them all together — “dial-tone deaf”.
UBA reduces false positives by processing the event stream in terms of real human activities on computer systems, allowing its algorithms and rules to more accurately decide what’s unusual by comparing against a normalized base.
How to Visualize Security Analytics: Dashboards and Threat Models
UBA gives us cleaner data from which IT security staff should be able to make better decisions. But to make the data usable by humans, we need a visualization that an analysts at a glance can see which users have been flagged for abnormal activities.
For example, for our own Varonis dashboard (above) we can easily see which users are under attack, the related devices, and then the threat models that are involved. Security analytics dashboards are multi-level GUIs, and the a interface allows us to drill down and gather more information—say finding details on an alerted user by clicking on a user context card.
Obviously, a dashboard based on UBA is far more effective than working with the raw event logs!
This leads to a brief discussion of threat modeling, which is really a formal way of identifying and rating the potential threats and vulnerabilities. Mitre, MIT’s famed R&D lab, has a wonderful knowledge base of current threat models that’s worth your time.
The security analytics dashboard sits at the top of the event food chain. It’s the visual result of a processing chain that starts with UBA methods applied to raw events and ends with special algorithms, often based on machine learning, to find and categorize the data into various threat models. For example: unusual access to sensitive data, crypto activity detected, unusual user or group privilege changes, mass deletes, and more.