As Threat Actors have become more sophisticated and developed better evasion techniques, Auditing/Monitoring has become a huge and complex topic area. So, we break this operational need out into more specific capability areas, each discussed in a separate article:
Of course, simply collecting and aggregating huge volumes of monitoring data, streaming in from sensors, is no guarantee that the Security Operations team will be able to actually detect malicious activity in the environment. Finding the proverbially “needle in a haystack” is tough enough, even without adversaries skillfully covering their tracks or possibly leaving intentionally deceptive evidence behind to misguide your forensics. This is where a range of Detection Analytics capabilities needs to be considered.
The simplest forms of capability in this category are basic tools like vulnerability auditing or security information & event management (SIEM). While not strictly “analytics” capabilities, these are the fundamental building blocks of “detection” required to minimally demonstrate "due diligence" and comply with most policies and regulations.
Building on these capabilities, more advanced security analytics capabilities have been evolving for at least a few decades – starting with simple tools like log analyzers, evolving through generations of “signature-based” anti-virus/anti-malware and intrusion detection systems (IDS), and arriving at moderately advanced statistical analytics and "anomaly-based" detection performed on the centralized “big data” collections described in an earlier article.
[sidebar] A good repository of examples for such detection analytics is MITRE's "Cyber Analytics Repository". The "CAR" is a very practical, continuously evolving knowledgebase of analytics based on MITRE's "ATT&CK" adversary model, and Lockheed Martin's Cyber Kill Chain®.
This article barely scratches the surface of the need for Detection Analytics capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Detection Analytics capabilities to support your own Security Operations efforts.
While useful at detecting familiar, “commodity” types of phenomena ("incidents"), most adversaries are continuously advancing the “novelty” of their tactics and techniques to better evade these types of statistical analytics. [Note: In fact, if you’re detecting large numbers of “commodity” types of events in your environment, you’re either dealing with entry-level adversaries… or an adversary that is deliberately trying to distract your Analysts with intentional noise.] So today, a well-staffed and well-equipped Security Operations team will be considering investments in User/Entity Behavior Analytics (UEBA) and machine learning (ML) capabilities that can automatically identify anomalous activity against a continuously learning foundation of heuristics. These types of advanced analytics can help to automate and accelerate the detection of some anomalous activity, but they should only be considered as an augmentation to experienced Analysts doing manual hunting.
When considering acquiring capabilities in this area, there are literally 100s of alternative solutions now swamping the marketplace, both open source and from commercial vendors. Most with promises of detection automation using AI or ML to help deal with the growing volume, velocity, variety, and sheer complexity of contemporary monitoring data. To be sure, despite often displaying high false positive rates, many can deliver on these promises; but only in the hands of experienced Cyber Security Analysts that know how to configure and use them effectively.