The Need for More Data in Security Operations
The increasing reliance on big data has created a broader scope for hackers to exploit. But, it’s also made opportunities for cybersecurity professionals to help identify threats.
Recent ESG research found that survey respondents want to use more data for security operations, driving the need for scalable, high-performance, cloud-based back-end data repositories.
The research found that 80% of organizations use more than 10 data sources as part of security operations to detect malicious activities, believing the most important to be: endpoint security data, threat intelligence feeds, security device logs, cloud security data, and network flow logs.
While these are all valuable in their own right, they can also be difficult to collect, store, analyze, and correlate across multiple systems. Big data analytics has made it possible for organizations to combine multiple sources of information into one unified view of an event or incident.
Though there have been advanced, many security tools still lack the ability to integrate, especially if they are from multiple vendors. This makes sharing information harder and highlights the need for better integration between telemetry sources and analysis tools.
Challenges with Big Data
There is no shortage of hype surrounding big data. Many companies are already reaping the benefits of big data and applying it to improve their operations. Big data is often described as “dense,” meaning that it contains a lot of information and is hard to analyze. While this makes it easier to collect, it also challenges organizations to figure out what information is relevant and how to apply it.
The same goes for cybersecurity threats. There is a lot of buzz about the potential of big data to help identify attackers, but the reality is that it doesn’t just work like that. Instead, big data also provides a way for attackers to hide within vast amounts of information. They can further exploit this to avoid detection and even change their identity multiple times before unleashing a cyber attack.
Using Data for Cybersecurity
Even though data is the most appetizing and easily accessible target for attackers, that doesn’t mean you shouldn’t collect and analyze it. Data analysis can provide insights into how attackers target your organization for a cyber attack and what they might do next.
According to the ESG Research, SOC teams collect, process, and analyze a variety of security telemetry to help them determine detection weaknesses where custom rules are needed. Security teams customize vendor rule sets to meet their needs and develop custom rules to detect threats targeting their industry or organization.
Data Visualization & Analytics
Big data analytics allows an organization to visualize attacks, detect anomalies, and discover relationships between different data sets.
Machine Learning & Predictive Modeling
Machine learning helps identify potential threats and behavior patterns by analyzing the data collected during the attack and comparing it with patterns we know about. We can even build predictive models based on our experience to detect similar attacks in the future.
Security Controls Automation
Artificial intelligence can help quickly automate threat intelligence to security controls to protect against security breaches. For example, machine learning could help identify activities related to a particular type of event and block access to those actions or events.
The Need to Understand the Attacker
Threat actors use three main attack vectors: social engineering, malware, and brute force. Social engineering occurs when someone attempts to trick another person into disclosing confidential information or giving up control over his system. Malware is software designed to harm a computer, such as installing spyware or stealing personal data. Brute force involves trying every possible combination of letters, numbers, and symbols until a valid password is found.
To defend against these threats, organizations must understand the tactics, techniques, and procedures (TTPs) used by attackers. In addition, they must understand how attackers think and behave and use that knowledge to develop effective countermeasures.
Attackers are constantly changing and growing more sophisticated. It will be harder to defend your organization if you don’t understand their motivations.
Mitigating Risk with Data
Big data analytics isn’t just about detecting attacks. It can also help organizations mitigate risk by automating the security response to many types of attacks. For instance, a predictive model can scan thousands of files daily, looking for known vulnerabilities and alert administrators when a vulnerability is found. Automation makes it possible to scale up the number of scans to hundreds of thousands per week without requiring additional resources.
Becoming Proactive
Cybersecurity is no longer just about preventing an attack; it’s about detecting an attack, mitigating damage, and responding quickly to reduce future threats. This approach requires organizations to change their thoughts about cybersecurity and adopt a proactive and resilient mindset.
The traditional concept of cyber defense is based on a defensive model where security teams are responsible for stopping attackers. Organizations today cannot afford such a static approach to defense strategies because there are too many ways for attackers to penetrate systems and cause harm.
This shift to a proactive and resilient mindset separates a cyber-resilient organization from others. A resilient enterprise can detect, respond and recover from cyber-attacks within minutes rather than hours or days. In addition, a resilient enterprise proactively monitors its attack surface and network infrastructure, looking for suspicious behavior that could indicate an impending threat.
XDR Solutions Emerging
The Internet of Things, cloud computing, social media, and mobile devices are a few factors driving vast amounts of data growth. Many organizations struggle to make sense of all the data they collect. They lack the skills to analyze the information and find insights that could help them better understand the threats they’re facing.
Security teams are facing a significant challenge due to the increasing network traffic volume and modern threats’ rising complexity. Traditional SIEMs cannot cope with today’s massive volumes of log data and cannot provide timely analysis of events occurring across the entire enterprise.
Extended detection and response (XDR) solutions have emerged to meet the need for a big data solution that helps organizations better detect and respond to threats. XDR solutions utilize data lakes to collect, store and correlate telemetry from key XDR components and relevant data sources. This enables the collection and storage of vast amounts of information, including logs, system activity, network packets, etc., and data analysis within seconds to minutes.
Big data collection enables an effective XDR solution to conclude all telemetry instead of the siloed data that SIEMs collect. This also results in a more extensive curated library of threat data from multiple sources than the limitations of only collecting network logs with a SIEM.
XDR solutions utilize advanced machine learning and automation to enable organizations to focus on relevant threats and quickly respond, trying to solve the challenges SOC teams have with SIEM and SOAR platforms. An effective XDR solution will utilize out-of-the-box automation and machine learning to minimize false positives, surface relevant threats, and improve organizational efficiencies.
Visualizing Attack Patterns
The biggest challenge facing most organizations is correlating historical information with a specific incident and determining whether there is a correlation. This is where big data analytics comes into play. Organizations can detect attack patterns to predict future events by leveraging machine learning. For example, a predictive model could tell you that a specific type of malware is likely to hit your network within the next 24 hours. Or perhaps it predicts that your organization is vulnerable to a targeted attack based on previous trends in similar situations.
Using MITRE ATT&CK to Better Understand Adversaries
The ATT&CK Framework is one of the most widely adopted frameworks for analyzing malicious behavior and helping security professionals understand how attackers operate.
Blocking or identifying attacks based on their techniques is essential, but understanding what these techniques do and how they work is just as important. By doing this, we can identify potential weaknesses in our environments and improve them accordingly.
Understanding why attackers behave the way they do helps you identify the risks associated with their actions and what mitigation measures are needed to reduce the likelihood of successful attacks.
The ATT&CK Framework provides an extensive understanding of attacks and their methods to prioritize investigations and remediation activities.
Anomali and Big Data
Today’s threats evolve quickly, targeting specific vulnerabilities to exploit known weaknesses. Organizations must move from a reactive approach to a more proactive one. Data collection is just one aspect of the larger process. After collecting all the information, you need to develop a plan for analyzing and processing it.
The Anomali Platform helps address the need for a big data solution.
Anchored by big data management and refined by artificial intelligence, The Anomali Platform delivers unique proprietary capabilities that correlate the largest repository of global intelligence with telemetry from customer-deployed security solutions. This combination empowers security operations teams to detect threats with precision, optimize response, achieve resiliency and ultimately stop attackers and breaches.
Download the SOC Modernization and the Role of XDR ebook from ESG Research to learn more about what security teams are looking for.