e-guide security analysis & analytics tools buyer’s...
TRANSCRIPT
E-guide
Security Analysis & Analytics Tools Buyer’s Guide You expert guide to security analysis and analytics tools
Page 1 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Introduction to security analytics tools in the enterprise
Dan Sullivan
Expert Dan Sullivan explains how security analysis and analytics
tools work, and how they provide enterprises with valuable
information about impending attacks or threats.
Businesses are responding to the growing sophistication and number of
information security threats by deploying tools that extend the capabilities of
their current security infrastructures. For smaller companies, this means
deploying deeper network defenses and endpoint protections. For large and
midsize enterprises, however, it means deploying security analysis tools and
analytics software to collect, filter, integrate and link diverse types of security
event information in order to gain a more comprehensive view of the security of
their infrastructure.
These types of security applications go beyond traditional security information
and event management (SIEM) tools to incorporate additional data and apply
more in-depth analysis. Consequently, they correlate events occurring on
different platforms to detect suspicious patterns of activity that span multiple
devices.
Page 2 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Security analytics tools are not meant to replace existing security controls and
applications, but rather complement them. In fact, security analytics tools
analyze log and event data from applications, endpoint controls and network
defenses.
The need for security analytics tools
The 2013 Data Breach Investigations Report from Verizon found that 84% of
successful attacks on IT infrastructures compromised their targets within hours,
while 74% of attacks were not discovered for weeks -- and sometimes months
or years. One of the reasons it is so challenging to detect attacks is they happen
quickly. In addition, data indicating an attack is often dispersed across network
devices, servers, application logs and endpoints.
This makes it difficult to analyze a breach in progress and even hinders the
ability to assess its impact. Furthermore, according to a Ponenom Institute
report, 55% of survey respondents that experienced a data loss could not
identify for certain what data was stolen. Improving the speed of detection and
analyzing the impact of an attack are key drivers to adopting security analysis
and analytics.
Page 3 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
How security analytics tools work
Security analytics tools help organizations implement real-time monitoring of
servers, endpoints and network traffic, consolidate and coordinate diverse event
data from application and network logs, and perform forensic analysis to better
understand attack methods and system vulnerabilities. Taken together, these
functions help security professionals assess how systems were compromised,
which systems were affected and if an attack is still underway.
This is just a subset of the types of analyses used for predictive and prescriptive
analytics. In addition, different vendors are likely to provide a variety of
algorithms supporting each of the different methods.
Security analysis tools do this by providing several broad services to meet the
needs of security professionals. These include continuous monitoring, malware
detection, incident detection and data loss reporting.
If a security breach or threat is detected, security analytics software can help by
collecting network, log and endpoint data. This enables timeline and session
analysis that can shed light on how the breach occurred and what systems were
affected.
Page 4 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Common analysis tool features
A number of features are common to security analytics software. These
systems gather data from server and application logs, endpoint devices,
network packets and NetFlows. In addition, they include advanced analytic
capabilities with regards to the packet and NetFlow analysis, as well as event
correlation.
Expect to see analytic methods based on both rules as well as statistical or
machine learning-derived analysis. A statistics-based method might detect
anomalous behavior, such as higher-than-normal traffic between a server and a
desktop, for example. This could indicate a suspicious data dump. In other
cases, a machine learning-based classifier might detect patterns of traffic that's
previously been seen with a particular piece of malware.
Security analytics tools also offer a single point of access to event data. The
consolidated view is useful for implementing features -- such as timeline
reconstruction and forensic analysis -- that support workflows for security
analysts. They usually offer tools for compliance reporting, as well. And since
visualization methods are almost always required for any complex analysis,
expect to see those included in any security analytics product worth
considering.
Page 5 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
One of the most important aspects of security analytics software is integrating
data from different devices and applications, as a single data source may
provide insufficient information to understand an attack. For example, a security
analyst may need to synchronize network packet data with application log data
and endpoint device data to get a comprehensive picture of the steps used to
execute an attack.
Support for regulatory compliance is another common feature in security
analytics tools, as it is important to be able to demonstrate that proper security
controls are in place, functioning and -- most importantly -- being used to
mitigate the risk of breaches.
Deploying analytics and analysis tools
Security analytics tools are deployed as software, virtual appliances or
hardware appliances.
A dedicated hardware appliance is an appropriate choice for high-traffic
networks. Vendors can tailor the hardware and software configuration to the
demands of security analytics. These include the need to process large volumes
of network traffic -- steadily receiving high volumes of log data -- and to apply
computationally intensive analytic methods to that data.
Page 6 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Software and virtual appliances are options when security analytics tools are
installed and deployed on existing company hardware that is sufficiently
powerful enough to keep pace with the load. These options are well-suited to
cases where organizations have the available server capacity to host a security
analysis system, and are reasonably confident that they have the computational
power in place to scale the deployment to meet any potential increases in load
Evaluation and costs
When evaluating security analytics tools, it is important to consider not just their
analytic capabilities, but scalability and availability as well. Companies must
anticipate the need to scale these implementations as traffic increases. Also,
consider the need for high availability. If the security analytics platform is down
for even a short time, informative events in an attack may be missed.
Cost is also a factor. Hard costs will include software licensing, hardware and
training. Security analytics tools collect and preprocess data, but human
judgment is still required to interpret the data.
It would also be prudent to take advantage of training from vendors to get the
most out of a security analysis tool and to learn best practices from more
experienced practitioners. A few crucial tips on how to efficiently filter data or
create an insightful visualization could be well worth the time spent in training.
Page 7 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Be sure to anticipate harder-to-quantify costs, such as learning how to perform
forensic analysis with the new tools and configuring the tools to collect data
from existing security applications.
The need for security analytics tools is growing
Security analytics tools are becoming important as automated security
measures such as antimalware and vulnerability scanning are becoming
increasingly challenged by emerging threats. These applications complement,
they do not replace, existing security controls, however.
The purpose of security analytics is to detect attacks as fast as possible, enable
IT professionals to block or stop an attack and provide detailed information to
reconstruct an attack. They do this by collecting, correlating and analyzing a
wide range of data. These tools also provide analysis environments for forensic
evaluations and attack reconstructions. That way companies can study the
methods used and vulnerabilities exploited to breach their systems and address
weaknesses. Support for regulatory compliance is another common feature.
Stay tuned for the next article in this series, which will examine the most
common deployment scenarios and the types of companies that would benefit
the most (and least) from the technology. It will also outline how IT departments
can make the business case for implementing advanced security analytics to
executive management.
Page 8 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Next article
Page 9 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Three reasons to deploy security analytics software in the enterprise
Dan Sullivan
Expert Dan Sullivan outlines three use case scenarios for security
analytics tools and explains how they can benefit the enterprise.
If there were any doubts about the sophistication of today's cyberthreats, the
2014 attacks on Sony Corporation put them to rest. On November 22, 2014,
attackers hacked the Sony network and left some employees with compromised
computers displaying skulls on their screens, along with threats to expose
information stolen from the company. Sony, by all accounts, was the subject of
an advanced persistent threat attack using exploits that would have
compromised the majority of security access controls.
The scope of the attack forced employees to work with pen, paper and fax
machines, while others dealt with the repercussions of the release of
embarrassing emails. The coverage around the Sony breach may rightly leave
many organizations wondering if their networks are sufficiently protected and --
of particular interest here -- whether security analytics software and tools could
help them avoid the fate of Sony.
Page 10 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
The short answer is, yes. Just about any business or organization with a
substantial number of devices -- including desktops, mobile devices, servers
and routers -- can benefit from security analytics software.
It is important to collect as much useful data as possible to supply the security
analytics tool with the raw data it needs to detect events and alert
administrators. So before deploying a security analytics tool, it helps to
understand how such a product will fit within an organization's other security
controls and the gaps it will help fill in typical IT security use cases.
Compliance
Compliance is becoming a key driver of security requirements for more
businesses. In addition to government and industry regulations, businesses are
implementing their own security policies and procedures. To ensure these
regulations, policies and procedures are implemented as intended, it is
imperative to verify compliance. This is not a trivial endeavor.
Consider for a moment how many different security controls may be needed to
implement a network security policy that is compliant with various regulations
and security standards. For instance, antimalware systems might scan network
traffic while endpoint antimalware operates on individual devices. Then there
are firewalls, which are deployed with various configurations depending on the
type of traffic allowed on the sub-network or server hosting the firewall. Identity
Page 11 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
management systems, Active Directory and LDAP servers -- meanwhile --- log
significant events, such as login failures and changes in authorizations. In
addition to these core security controls, an enterprise may have to collect
application-specific information from other logs. For example, if a salesperson
downloads an unusually large volume of data from the customer relation
management (CRM) system, the organization would want to know.
When companies have a small number of servers and a relatively simple
network infrastructure, it may be possible to manually review logs. However, as
the number of servers and complexity of the network grows, it is more important
to automate log processing.
System administrators routinely write shell scripts to process files and filter data.
In theory, they should be able to write scripts in awk, Perl, Ruby or some other
scripting language to collect logs, extract data and generate summaries and
alerts. But how much time should system administrators invest in these tasks?
If they write a basic script that works for a specific log, it may not easily
generalize to other uses. If they want a more generalized script, it will likely take
longer to write and thoroughly test. This presents significant opportunity costs
for system administrators who could better spend their time on issues more
closely linked to business operations.
This is not to imply that the functionality provided by these scripts is not
important -- it is very important, especially when it comes to the kind of data
Page 12 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
required for compliance. The question is how to most efficiently and reliably
collect log data, integrate multiple data sets and derive information that can help
admins make decisions about how to proceed in the face of potentially adverse
events.
Security analysis tools are designed to collect a wide variety of data types, but
there is much more to security analytics than copying log files. Data from
different applications and servers has to be integrated so organizations can
view a unified timeline of events across devices, for example. In addition, these
solutions include reporting tools that are designed to help admins focus on the
most important data without being overwhelmed with less useful detail. So, in a
nutshell, the economic incentive of security analytics vendors is to provide
solutions that generalize and relieve customers of the burden of initial
development and continued maintenance.
Security event detection and remediation
The term "connecting the dots" is often used in security and intelligence
discussions as a metaphor for linking-related -- but not obviously connected --
pieces of information. Security expert Bruce Schneier wrote a succinct post on
why this is a poor metaphor: In real life the "dots" and their relation to each
other is apparent only in hindsight; security analytics tools do not have mystical
Page 13 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
powers that allow them to discern forthcoming attacks or to "connect the dots"
auto-magically.
A better metaphor is "finding needles in a haystack," where needles are
significant security events and haystacks are logs, network packet and other
data about the state of a network. Security analytics tools, at a minimum, should
be able to alert organizations to significant events. These are defined by rules,
such as a trigger that alerts the organization to failed login attempts to
administrator accounts or when an FTP job is run on the database server
outside of normal export schedules.
Single, isolated events often do not tell the whole story. Attacks can entail
multiple steps, from sending phishing lures to downloading malware and
probing the network. Data on these events could show up in multiple logs over
an extended period of time. Consequently, finding correlated events can be very
challenging, but it is something security analytics software can help with. It is
important to emphasize that security analytics researchers have not perfected
methods for detecting correlated events, however. Organizations will almost
certainly get false positives and miss some true positives.
These tools can help reduce the time and effort required to collect, filter and
analyze event data, though. Given the speed at which attacks can occur, any
tool that reduces detection and remediation time should be welcomed.
Page 14 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Forensics
In some ways, computer forensics -- the discipline of collecting evidence in the
aftermath of a crime or other event -- is the art of exploiting hindsight. Even in
cases where attacks are successful and data is stolen or systems
compromised, an enterprise may be able to learn how to block future attacks
through forensics. For example, forensic analysis may reveal vulnerabilities in
an organization’s network or desktop security controls they did not know
existed.
Security analytics tools are useful for forensic analysis because they collect
data from multiple sources and can provide a history of events before an attack
through the post-attack period. For example, an enterprise may be able to
determine how an attacker initially penetrated its systems. Was it a drive-by
download from a compromised website? Did an executive fall for a spear
phishing lure and open a malicious email attachment? Did the attacker use an
injection attack against one of its Web applications?
If an organization is the victim of a cybercrime, security analytics tools can help
mitigate the risk of being a victim to multiple forms of the same type of exploits
in the future.
Page 15 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
The need for incident response planning
In addition to the use cases outlined above, it is important to emphasize the
need for incident response planning. Security analytics may help enterprises
identify a breach, but it cannot tell it how to respond -- this is the role of an
incident response plan. Any organization contemplating a security analytics
application should consider how it will use the information the platform provides.
Its security practice should include an incident response plan, which is a
description of how to assess the scope of a breach and what to do in response
to an attack.
A response plan typically includes information on how to:
Make a preliminary assessment of the breach;
Communicating details of the breach to appropriate executives, application
owners, data owners, etc.;
Isolating compromised devices to limit damage;
Collecting forensic data for evidence and post-response analysis;
Performing recovery operations, such as restoring applications and data
from backups; and
Page 16 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Documenting the incident.
Security analytics tools help detect breaches and collect data, but it is important
to have a response plan in place prior to detecting incidents. Enterprises do not
want to make up their response plan as they are responding to an incident.
There is too much potential for error, miscommunication and loss of evidence to
risk an ad hoc response to a security breach.
Deploying security analytics software
For organizations that decide to proceed with a security analytics deployment,
there are several recommended steps to follow, including: identifying operations
that will benefit from security analytics (e.g. compliance activities);
understanding the specific tasks within these operations, such as Web filtering
and traffic inspection; determining how the security analytics tool will be
deployed given their network architectures; and identifying systems that will
provide raw data to the security analytics tool. These topics will be discussed in
further detail in the next article in this series.
Next article
Page 17 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Six criteria for procuring security analytics software
Dan Sullivan
Security analytics software can be beneficial to enterprises. Expert
Dan Sullivan explains how to select the right product to fit your
organization's needs.
Security analytics software analyzes log and event data from applications,
endpoint controls and network defenses to assist organizations in improving
their security posture. They help enterprises better understand attack methods
and system vulnerabilities in order to thwart attacks before they happen, as well
as see which systems have been affected if an attack is underway.
Enterprises have a wide range of options available to them when choosing
security analytics software or products, which can make the decision confusing
for organizations. Different products, for example, emphasize different key
characteristics, such as deployment options, range of analysis and cost. The
first step to selecting security analytics tools is to understand your organization's
priorities.
Obviously, cost is a concern to virtually all enterprises. Other considerations will
vary from one organization to another, and may include:
Page 18 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Deploying security analytics software on virtual machines versus dedicated
appliances;
Expecting volumes of network traffic to grow substantially in the near future;
Possible weaknesses in compliance practices; and
The ability to perform root cause analysis and detailed forensic analysis in
the event of a breach.
As organizations assess their priorities for security analytics software, it can
help to keep in mind several criteria for evaluating it. This article outlines the
following features to assist in evaluating the merits of different products:
Deployment models
Modularity
Scope of analysis (types of threats)
Depth of analysis (network layers)
Forensic support
Monitoring, reporting and visualization
Consider the relative importance of each of these features. For example, if an
organization's security team feels overwhelmed with data, it must pay particular
attention to monitoring, reporting and visualization, as well as scalability. The
chosen system will need to ingest potentially large volumes of data (scalability)
and then distill it down to a form that conveys key information to security
professionals (monitoring, reporting and visualization). However, an
organization that already has adequate coverage for some threats may look to
Page 19 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
emphasize modularity. This will reduce costs by avoiding redundant capabilities
within a security infrastructure.
Security analytics software deployment
Security analytics tools are deployed as appliances or virtual machines, or are
installed as software on a dedicated server.
Appliances combine hardware and software in a single product. This allows
system administrators to add a device to the network, perform necessary
configuration and start collecting data. Appliances minimize the system
configuration work for customers. Small businesses or IT departments with
limited resources may be particularly interested in an appliance. Also, vendors
can apply lessons learned and best practices for configuring their systems,
enabling more rapid deployments and potentially fewer support calls during
installation.
A virtual machine implementation allows customers to utilize existing capacity in
a virtualized environment. This may be a good option for small and midsize
businesses or remote offices. As the volume of data grows, system
administrators can dedicate additional CPU and RAM resources to
accommodate additional loads. A virtual machine implementation will entail
more administrative overhead than an appliance, but consider that relative to
the benefits of using existing hardware.
Page 20 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
The installed software option gives system administrators the most flexibility
with regards to deploying a security analytics tool. Applications can be installed
on dedicated servers or in virtual machine environments. Additionally,
containers might be used to standardize a configuration that is deployed to
multiple remote offices. Containers can provide some of the advantages of a
virtualized environment without the need for a hypervisor, potentially reducing
system management overhead.
Modularity
Security analytics software may encompass a wide range of services, from
analyzing low-level network traffic to higher-level application protocols. Some
enterprises may tailor analytics tools for particular applications, however -- such
as email -- and therefore don't need additional email capabilities in a security
analytics tool. Large security platforms often offer modular security options for
specific areas, such as Web-, email- and file-based threats. The ability to
choose only the functionality an organization needs can help control costs,
another key evaluation criterion.
Scope of analysis (types of threats)
Threats are constantly evolving. Malware that pushed the envelope of malicious
capabilities several years ago is now commonplace and probably readily
Page 21 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
accessible to a wide range of cybercriminals. Security analytics software
requires the ability to analyze multiple types of malicious activity, as well as
patterns of combined activities.
Malicious activities can be as simple as probing for open ports on a firewall to
sending subtle spear phishing lures to executives. Advanced persistent attacks
(APTs) employ multiple techniques to gain access to data, applications and
network resources. APTs may start with successfully downloading remote
control software from a compromised website. The attacker then moves on to
explore the network, infect other vulnerable machines and collect intelligence
about users and applications.
Buyers should consider the types of data analyzed by security analytics tools.
Can it detect anomalous network traffic from a client device that is probing other
devices and collecting network topology information? Can it correlate related
events, such as visiting a potentially compromised website and then starting
unusual patterns of network communication? Does the security analytics
software have capabilities to analyze application logs, server logs and alerts
generated by other security devices?
Also consider the need for timely security data. Some vendors maintain global
intelligence networks that constantly collect and analyze data about malicious
activities. These can act as early warning tools and help identify emerging
threats.
Page 22 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Threat analysis is challenging. There will likely be false positives. Organizations
with limited security analytics capabilities should carefully evaluate the scope of
analytics they can effectively use.
A closely related topic to scope of analysis is depth of analysis.
Depth of analysis (network layers)
The Open Systems Interconnect model of networks describes seven layers of
networks, from low-level physical and data link layers to the upper presentation
and application layers. Security analytics tools that can collect and analyze data
from the data link to the application layers have substantial depth of analysis
capabilities.
Application-level analysis is particularly important for detecting malicious activity
that escapes detection at lower levels. For example, an injection attack from an
unknown IP address might be blocked by servers accepting incoming
connections only from known devices. If, however, the injection attack originates
from a trusted but compromised device, the lower network level-based controls
will not block the attack.
A security analytics tool that analyzes application-layer protocols may be able to
identify suspicious activity or malformed communications between servers and
trusted devices.
Page 23 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Forensic support
While the goal of security analytics is to prevent breaches, there will be times
when enterprise infrastructure is compromised. At that point, it is important to
implement an incident response plan, which will require forensic support.
This includes capabilities such as identifying devices involved in a compromise,
replaying network traffic to determine how devices and security measures were
compromised, and correlating data from multiple sources and across the time
span of the attack.
Many of the tools and reporting techniques used in forensic analysis are useful
for ongoing monitoring.
Monitoring, reporting and visualization
A key reason to deploy a security analytics software platform is to have a single
point of access to security data from across the enterprise. Simply collecting
data is not enough: data must be integrated and correlated, events must be
identified and assessed, suspicious events must be reported and monitoring
tools should filter out inconsequential events.
Page 24 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Analysts need summarized data to understand network and device activity at a
high level, but they also require detailed data about suspicious events. These
needs are met by the monitoring, reporting and visualization tools of a security
analytics platform.
Security analytics software: What to consider
Consider the six key factors when accessing security analytics products:
deployment models, modularity, scope of analysis, depth of analysis, forensic
support, and monitoring, reporting and visualization.
Companies looking for basic security analytics with minimal overhead should
consider appliances and evaluate options based the quality of reporting and
ability and appropriate scope. In cases where the ability to learn from breaches
is a top concern, carefully consider forensic features. If the security analytics
system will be an integral part of day-to-day management, be sure to assess
reporting and visualization capabilities.
Some features will likely provide more benefit than others and it is important to
understand the relative importance of each of these features to your
organization, especially when cost considerations are taken into account.
Page 25 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
In our next feature, we will apply the lessons learned and evaluation criteria
outlined in this article to the products, tools and solutions available from the top
security analytics vendors on the market today.
Next article
Page 26 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Comparing the top security analytics tools in the industry
Dan Sullivan
Expert Dan Sullivan examines the top security analytics products to
help readers determine which may be best for their organization.
Security analytics tools gather, filter, integrate and link diverse kinds of security
event data in order to gain a more all-inclusive view of the security of an
organization's infrastructure. Just about any organization with an extensive
number of devices -- from desktops to mobile devices to servers and routers,
etc. -- can benefit from security analytics.
The security analytics market is changing rapidly, however. Vendors are
merging, developers are adding new capabilities, and tools once deployed
exclusively on-premises are now offered as cloud services as well. And, in spite
of all these rapid changes, businesses are still facing fairly constant
requirements, such as the ability to analyze logs, correlate events and generate
alerts. This fourth and final feature in our series on procuring and buying
security analytics tools considers the major offerings on the market and offers
advice on choosing an appropriate product for your needs.
Page 27 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
There is no single taxonomy of security analytics use cases that best organizes
all requirements, but common requirements patterns include:
Basic security analytics with minimal overhead
Large enterprise use cases
Focus on advanced persistent threats
Focus on forensics
An ensemble of security tools and services
These categories emphasize varying needs for key security analytics features,
such as deployment models, modularity, scope and depth of analysis, forensics,
and monitoring, reporting and visualization. Several products are discussed,
including Blue Coat Security Analytics Platform, Lancope Stealth Watch
System, Juniper Networks JSA Series Secure Analytics, EMC RSA Security
Analytics NetWitness, FireEye Threat Analytics Platform, Arbor Networks
Security Analytics, Click Security Click Commander and Sumo Logics' cloud
service.
Page 28 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Basic security analytics with minimal overhead
Small and midsize organizations mare often tempting targets for attackers. They
may not have as much valuable data as larger enterprises, but they often
present fewer obstacles to successfully attack. Companies that are subject to
industry regulation, such as Payment Card Industry Data Security Standard
(PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA)
compliance, must have security controls in place to protect personally
identifiable information and, in the case of HIPAA, protected health information.
Security analytics tools can help mitigate the risk of data breaches and other
attacks, but they should meet several criteria to fit the constraints of small and
midsize businesses.
Deployment models should minimize administrative overhead, for example.
Appliances and cloud services typically meet these criteria, but virtual machine
deployments may also offer low overhead implementations.
Sumo Logic's cloud service is a good example of a service targeted to small and
midsize organizations. The log analytics service offers a single point of
management dashboard for monitoring applications, servers and network
resources. Since it is a cloud service, there is no hardware or software to install
and maintain. The service includes pre-defined reports, so it is well-suited to
businesses that need to generate compliance reports, especially for PCI DSS,
Page 29 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
HIPAA, Federal Information Security Management Act (FISMA), Sarbanes-
Oxley Act (SOX), ISO and COBIT. Meanwhile, machine learning algorithms are
used for event detection, eliminating the need for hand crafting rules. And
multidimensional key performance indicators (KPIs) are tracked in the
management dashboard.
Like other cloud services, Sumo Logic pricing is based on the number of users
and volume of data analyzed. Details are available here.
Small and midsize companies that prefer to run their security analytics software
on-premises should consider Blue Coat Security Analytics Platform. It is
available as a virtual machine or pre-configured appliance. Blue Coat's platform
has a modular structure that allows customers to select components they need,
which are delivered as modules known as blades.
Large enterprise use cases
At the other end of the organization-size spectrum are large enterprises that
have to consider scalability, depth and scope of analysis, forensics and
monitoring of a security analytics platform. Low management overhead would
no doubt be appreciated, but that is a secondary consideration. Comprehensive,
high-performance analytics is the priority.
Page 30 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Juniper Networks JSA Series Secure Analytics is available in several models
that scale to global enterprise levels of demand. The JSA 5800 appliance, for
example, is designed for midsize and larger enterprises, while the JSA 7500 is
suited for global enterprises. Smaller enterprises that expect substantial growth
can start with the JSA 3800 or the JSA Virtual Appliance, and grow into the
larger appliances in the future. If an organization opts for the virtual appliance, it
will need a server running VMWare ESX 5.0 or 5.1, 4 CPUs and 12 GB of RAM.
The EMC RSA Security Analytics NetWitness platform comprises two sets of
modules: one providing infrastructure support and the other providing analytics
services. Modules are deployed in varying configurations to meet different
traffic-level and analysis requirements.
The RSA Security Analytics Decoder is one of the infrastructure components.
The decoder is a network appliance designed to collect packet and log data in
real time. It includes support for a wide range of log types. Multiple decoders
can be deployed across a network to ensure scalability and availability. The
RSA Security Analytics Concentrator is another infrastructure component that
aggregates data from decoders. Security analysts and administrators use the
RSA Security Analytics Broker/Analytic Server to query data collected by
decoders and aggregated by concentrators.
The RSA Security Analytics distributed platform is well-suited for large
networks. Infrastructure components may be added as network traffic or log
volumes grow. Like other distributed systems, it can be more complicated to
Page 31 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
manage and configure, however. Organizations should therefore plan to invest
in sufficient system administration support to monitor and maintain the security
analytics platform.
The analytics components of the RSA platform provide for real-time analysis of
network, log and endpoint data to detect events. An archiver is also available to
store and report on security data collected over time.
Focus on advanced persistent threats
Organization size is just one dimension for categorizing security analytics use
cases. Sometimes it is more appropriate to consider the most important features
an organization expects to use. For example, if a business already has good
endpoint protections and data collection capabilities, it might want to focus on
detecting advanced persistent threats. Security analytics with an emphasis on
scope and depth of analysis and support for forensics are well-suited for this
use case.
Arbor Pravail Security Analytics employs multiple techniques to detect
advanced threats in real time. This security analytics platform uses full-packet
capture to collect large volumes of raw data that help identify the presence of
multiple attack vectors in use against your organization. Network traffic data is
stored and re-analyzed as new data comes in. For example, if a new type of
threat is detected by the vendor's intelligence surveillance, new detection
Page 32 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
techniques can be developed and deployed. These techniques can then
analyze old data to determine if an attack is underway.
Some attackers will compromise a network and then cease activity for weeks.
This period of "going dark" may work in the attacker's favor in some cases
where minimal malicious activity is harder to detect than ongoing attacks that
generate recognizable attack patterns. By keeping historical traffic data and
scanning it for signs of previous attack, organizations can mitigate some
advantages attackers gain by going dark for periods of time.
In addition to analyzing historical data, analyzing the flow of traffic is also a key
method for discovering advanced persistent threats. Lancope Stealth Watch
System uses flow records about network events to detect the stages of
advanced attacks. The Lancope system includes a data aggregator that
consolidates disparate data into a single, analyzable source of network and
device event data. A console provides up-to-date data and alerts on significant
events in the course of an advanced attack.
Click Security's Click Commander is well-suited for analyzing the behaviors of
malicious attackers, profiling activities at different stages of the kill chain, and
issuing alerts and other custom notifications. This tool includes visualization
tools to create graphs of activities while providing actor profiles and contextual
data for analyzing events depicted in the graphs.
Page 33 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
Focus on forensics
There is some overlap in use cases that focus on advanced persistent threats
and those that focus on forensics. Both the Arbor Pravail Security Analytics and
the Lancope Stealth Watch System are well-suited to forensic-oriented use
cases. In addition, other systems that collect and integrate data and provide
comprehensive query and analysis capabilities can meet the need for forensic
support.
The Blue Coat Security Analytics platform, for example, is well-integrated with
security tools such as firewalls, data loss prevention, intrusion detection
systems/intrusion prevention systems and malware scanners. It is also
integrated with data generating or data delivering devices and tools, such as
those from Dell, HP, McAfee, Palo Alto Networks and Splunk.
Ensemble of security tools and services
For those organizations that need to mix and match existing security controls
with a new security analytics platform, the best product may be one that allows
them to deploy a system that plugs functional gaps in their security system. In
this case, vendors that offer modularized features may be a good fit.
Page 34 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
The Blue Coat Security Analytics Platform, for example, allows customers to
integrate different modules, or blades, as needed. The platform's variety of
deployment models -- including both appliances and virtual machines -- enables
customers to deploy a security analytics tool with the right functionality and level
of scalability that is called for.
If security analytics reporting is a top priority, consider Sumo Logic if their
predefined compliance reports fit your needs. EMC RSA Security Analytics
NetWitness should be considered by organizations that need long-term
archiving of their security data.
Conclusions
Security analytics tools address common problems: how to use available data
about events on a company's infrastructure to identify threats and attacks,
analyze the methods of attack, and alert systems administrators and application
owners when malicious activity is in progress. Organizations of any size are
potential targets.
Small businesses might think they are immune to sophisticated hackers, but
they aren't. They may have highly valued customers, such as Global 2000
companies, large government agencies or others that are the ultimate target of
an attacker. Security analytics is not the first line of defense for large or small
organizations, but it is an increasingly important one.
Page 35 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
IT professionals responsible for recommending, evaluating and purchasing a
security analytics platform should carefully assess their needs with respect to
existing security controls and applications. If an organization has tools deployed
to meet some security analytics requirements, it might not want to spend more
for duplicate functionality. On the other hand, if there is any area of IT where
redundant functionality is welcome, it is security.
Security analytics tools offer a variety of capabilities. Some, like Sumo Logic's
cloud-based service, are designed for small and midsize companies that want
broad security coverage with minimal overhead.
Larger enterprises will need to limit their consideration to systems that scale to
high volumes of traffic and can collect data from national or global networks.
Offerings from Juniper Networks and EMC RSA fall into this category.
In cases where advanced persistent threat detection and forensics are top
priorities, consider tools that offer real-time analysis of flow network. Some
vendors offer modular components in the security analytic platforms and these
may be especially useful for filling gaps in otherwise broad security coverage.
About the author
Dan Sullivan, M.Sc., is an author, systems architect, and consultant with over
20 years of IT experience with engagements in advanced analytics, systems
architecture, database design, enterprise security and business intelligence. He
Page 36 of 36
In this e-guide
Introduction to security analytics
tools in the enterprise
Three reasons to deploy
security analytics software in
the enterprise
Six criteria for procuring security
analytics software
Comparing the top security
analytics tools in the industry
E-guide
has worked in a broad range of industries, including financial services,
manufacturing, pharmaceuticals, software development, government, retail, gas
and oil production, power generation, life sciences, and education. Dan is a
series editor and author with Realtime Publishers, a leading provider of expert,
third-party content for the IT industry. Dan has written extensively about topics
ranging from data warehousing, cloud computing and advanced analytics to
security management, collaboration, and text mining. He has written sixteen
books as well as numerous articles and custom white papers.