Analytics security tools collect, filter, integrate, and link different types of security event data to provide a more complete view of the security of an organization’s infrastructure. Almost any organization with a large number of connected devices – from workstations to servers, routers to smartphones and printers – can benefit from security analytics.
This market, however, is changing rapidly. Vendors are merging, developers are adding new features, and previously deployed tools exclusively in-house can now be leveraged as cloud services. But despite all these changes, organizations have relatively constant needs, starting with the ability to analyze logs, correlate events, and generate alerts.
It does not have a single taxonomy for use cases of security analytics that best organizes all needs, but the typical typologies of needs are: basic analytics with minimal overhead; use case for large companies; focus on persistent advanced threats; focus on the investigation; and complete a set of security tools and services.
These categories highlight the diversity of needs for key features such as deployment models, scalability, scope and depth of analysis, investigation, monitoring, reporting, and visualization.
Several products are mentioned here, including Blue Coart Security Analytics Platform, Lancope Stealth Watch system, Juniper Networks JSA Scure Analytics, EMc RSA Security Analytics NetWitness, FireEye Threat Analytics Platform, Arbord Networks Security Analytics, Click Security Click Commander, and cloud service. from Sumo Logics.
Basic analytics with minimal overhead
Small and medium organizations are often tempting targets for attackers. They may not be as compelling as the big companies, but they often have fewer obstacles to success. Companies subject to sectoral regulations, such as PCI DSS, need to have controls in place to protect personally identifiable data or health data, for example. Analytical security tools can help reduce the risk of security breaches, but they must meet several criteria related to the constraints specific to small and medium organizations.
Deployment models must, in particular, limit administrative overhead. Cloud appliances and services typically meet this criterion, but virtual appliance deployments can also enable limited overhead deployments.
The Cloud Sumo Logic service is a good example of a service designed for SMEs. This log analysis service provides a centralized management dashboard for monitoring applications, servers, and network resources. Since this is a cloud service, there is no hardware or software to maintain. The service includes predefined reports and is therefore suitable for different regulatory needs, whether PCI DSS, Sarbanes-Oxley, ISO or Cobit. Machine Learning algorithms can also be used for event detection, eliminating the need for manual rule creation. And multidimensional performance indicators are tracked in the admin dashboard.
As with other cloud services, Sumo Logic pricing is based on the number of users and the amount of data analyzed.
SMEs that prefer to leverage their security analytics tool locally can turn to Blue Coat Security Analytics Platform . This is available as a virtual machine or pre-configured appliance. It has a modular architecture that allows customers to choose the modules they need, called blades .
The case of large companies
At the other end of the spectrum of organization size, large organizations need to take into account the elasticity, depth and breadth of analysis, investigation, and monitoring capabilities of security analytics platforms. . Limited administrative overhead will surely be appreciated, but this is secondary. Functional completeness is a priority here.
Juniper Networks JSA Series Secure Analytics is available in different versions to suit the demand levels of businesses. The JSA 5800 appliance, for example, is designed for mid-sized to large businesses, while the JSA 7500 is for multinationals. Smaller companies anticipating strong growth can begin with the JSA 3800 or the JSA virtual appliance, before switching to more powerful models later. For the virtual appliance, a server running VMware ESX 5.0 or 5.1, with 4 CPUs and 12 GB of RAM is required.
The EMC RSA Security Analytics NetWitness platform compresses two sets of modules. The first provides support for the infrastructure and the second provides the analytical services. The modules are deployed in different configurations to meet data volume and analytical needs.
RSA Security Analytics Decoder is one of the infrastructure components. The decoder is a network appliance designed to collect packets and logs data in real time. It supports a wide range of log types. Multiple decoders can be deployed across the network to ensure availability and resiliency. RSA Security Analytics Concentrator is another infrastructure component responsible for aggregating the data collected by the decoders. Security analysts and administrators use RSA Security Analytics Broker and Analytic Server to query collected and aggregated data.
The RSA Security Analytics distributed platform is well suited to large networks. Infrastructure components can be added as network traffic and log volumes grow. But like any distributed system, it is more complex to administer and configure. Organizations should then plan to invest enough administrative resources to oversee the platform.
The analytics components of the platform provide real-time analysis of the network, logs and terminals to detect events. An archiving tool is also available to store data and report on information collected over time.
Focus on persistent advanced threats
The size of the organization is only a categorization dimension of use cases of security analytics. Sometimes, it is more appropriate to consider the most important features given its needs. For example, if a company already has good terminal protections and good data collection capabilities, it may want to focus on detecting persistent advanced threats. In this case, an analytical security system with extensive analysis and investigation capabilities may be particularly appropriate.
Arbor Pravail Security Analytics employs multiple techniques to detect persistent advanced threats in real time. This security analytics platform uses full packet capture to collect vast amounts of raw data that helps identify the presence of multiple attack vectors used against the organization. Network traffic data is stored and re-analyzed each time new data arrives. For example, when a new threat type is detected by the threat intelligence services of the equipment manufacturer, new detection techniques can be developed and deployed. These techniques can then analyze old data to determine if an attack is in progress.
Some attackers will compromise a network and then stop their activities for weeks. This period of silence can act in favor of the attacker: a reduced activity may be more difficult to detect than an attack in progress generating recognizable behaviors. By keeping the history of network traffic and analyzing it for signs of past attacks, organizations can reduce the advantage previously gained by the attacker.
In addition to analyzing historical data, traffic flow analysis is also a key method for discovering persistent advanced threats. Lancope Stealth Watch System uses network flow records to detect advanced attack steps. The system integrates a data aggregator that consolidates disparate data into a single source of analyzable network and terminal event data. A console provides up-to-date data and alerts on significant events as part of an advanced attack.
For its part, Click Order of Click Security is well suited to the attackers behavior analysis, establishing activity profiles at different stages of the compromise chain, issuing alerts, and other notifications. It integrates visualization tools that create activity graphs while providing stakeholder profiles and contextual data to analyze the events described by the graphs.
Focus on investigation
There is some redundancy between some uses focused on persistent advanced threats and those related to investigation. Arbor Pravail Security Analytics and Lancope Stealth Watch System are well suited for investigation. But other systems that collect and integrate data and provide comprehensive analytical capabilities can also meet the needs of investigation.
For example, the Blue Coat Security Analytics platform is well integrated, with security tools such as firewalls, data leak prevention systems (DLPs), IPS and IDS, or anti-virus. It also supports data generated or delivered by Dell, HP, McAfee, Palo Alto Networks and Splunk tools and devices.
A complete set of tools and services
Some organizations need to combine existing security controls with a new security analytics platform. Here, the best product is probably the one that allows you to deploy a system integrating with the existing infrastructure and fill in its functional gaps. In this case, a modular offer may be appropriate.
The Blue Coat Security Analytics platform, for example, allows you to integrate different modules, blades , as needed. The diversity of its deployment models – between physical and virtual appliances – also makes it possible to deploy an analytical security tool with the desired level of functionality and elasticity.
But the priority is in analytical reporting, preconfigured Sumo Logic reports can suffice. As for EMC RSA Security Analytics NetWitness, it will be well suited to organizations needing long-term security data archiving.
Analytical security tools address common problems: how to use available event data within the infrastructure to identify threats and attacks, analyze attack methods, and alert administrators and operators when an activity occurs malicious. Organizations of all sizes are concerned.
Small organizations may be tempted to consider that they do not interest the most sophisticated attackers, but this is not the case. They are likely to figure in the value chain that leads to larger targets, such as multinationals or large administrations. Security analytics is not the first line of defense for companies, but it is an increasingly important one.
IT professionals responsible for recommending, evaluating, and acquiring a security analytics platform should accurately assess their needs, taking into account existing security controls and applications, to avoid redundancies.