explains how security analytics are performed and used in support of cyberthreat management.
1.Learn about the features that security intelligence and analytics platforms provide to aid in performing search analytics
2.Understand the processes underlying machine analytics and
how they’re implemented for threat management
Although they’re performed by people, search analytics can be greatly expedited and improved through the use of automated tools. Time is of the essence when a person needs to do search
analytics, and there are several tool-based capabilities that can
help, including leveraging dashboards and using drill-down
features, search capabilities, and visualization techniques.
Let’s look at each of these.
a dashboard is a SIEM tool that brings together
several security analytics views on one screen. Instead of
having to manually run several reports and flip among their
results, a person can use a dashboard that automatically runs
and refreshes a set of reports, displaying the results in or near
real time in a convenient layout. Figure 4-1 shows an example
of a security intelligence and analytics dashboard.
Drill down for details:
Dashboards and other security analytics views are useful in
and of themselves, but they’re even more valuable when they
support drill-down capabilities. These allow a person to click
on an element of interest, such as the first bar in a bar graph,
and obtain more details about that element.
Use search capabilities:
It should be no surprise that SIEMs offer a variety of search
capabilities for search analytics purposes. For example, a person may want to see all recent activity involving a particular
IP address, protocol, website, or other component of network
traffic. SIEM capabilities make all that possible through a
Use visualization techniques:
What differentiates SIEMs from each other is their degree of
built-in support for more advanced visualization techniques,
especially those that not only show the data in a graphically
sophisticated way, but also enable interactive manipulation of
that graphical representation of the data.
Machine analytics are the heart of a SIEM. Most security events
are analyzed only by machine analytics, because a lack of time
restricts in-depth search analytics to a tiny percentage of events,
although a larger percentage may be analyzed superficially.
If machine analytics don’t detect malicious activity, it’s
extremely unlikely that a person is going to happen upon that
activity through search analytics because search analytics are
so labor intensive. So machine analytics must be as accurate
and thorough as possible
To achieve the desired accuracy, machine analytics use a combination of techniques for detecting threats. These techniques
complement each other and are intended to collectively cover
a wide range of threats. See the “Detect threats” section below
for more information.
Detecting threats is where all the effort put into generating,
transferring, and normalizing forensic data pays off. As
already mentioned, a SIEM uses a combination of techniques
to improve its detection accuracy and speed. The details of
these techniques are proprietary, but their main commonalities are discussed below.
1.Deviations from baselines:
The previous “Establish baselines” section provided background on baselines. Baselines are constructed over time by
observing normal activity, and they must be maintained over
time as well to take into account changes in normal activity.
For example, an organization may deploy a new service, causing a significant change in network traffic flows
SIEMs can detect patterns of suspicious activity using multiple techniques. The simplest is to look for a signature that
matches known bad activity, such as a sequence of bytes from
a particular instance of malware or an attempt to use a default
password to log into a system.
3.Threat intelligence matches:
The last part of Chapter 2, “Understanding Threat
Management,” defined threat intelligence and highlighted
the valuable role that it plays throughout threat management
processes. This role is particularly important when it comes to
Correlation refers to identifying relationships among security
events to bring related information together. For example,
information about a single security event may be logged
as several separate events by multiple enterprise security
controls and endpoint operating systems and applications
Although detecting threats is incredibly important, prioritizing them may be just as important, if not more so.
Organizations simply do not have the resources to manually
act against every detected threat, nor do they need to. Many
threats are automatically stopped by other enterprise security
controls, for example, so they’re basically noise to the SIEM
and should generally be considered low priority.
1.Likelihood of success:
Generally, the more likely a threat is to succeed, the higher it
should be prioritized. Determining the likelihood of success
isn’t easy, however. In practice, the best measures may be how
long the attacker has been inside the perimeter, how far inside
the organization’s perimeter the attacker has penetrated, and
whether the attacker has acquired administrative privileges on
Sometimes it’s easy to estimate the potential impact of a
threat. For example, a threat may be repeatedly trying to compromise a database server that contains highly sensitive data;in that case, it’s quite likely that the attacker is attempting to
perform a breach of that data.
Another potential criterion for prioritization is the current
reputation or recent history for a particular threat. Threat
intelligence feeds often carry all of this information. Suppose
threat intelligence indicates that a particular IP address has
been the source of numerous attacks against many organizations. On its own, this information may not characterize the
threat. But what if the SIEM showed that this same IP address
is being used as the source of a successful remote access session used with an administrator account? This may indicate
the presence of an advanced threat with privileges and should
be given high priority.
Don’t take threat intelligence feeds too literally when prioritizing threats. Just because a threat doesn’t appear in the feed
doesn’t mean that it isn’t serious. Any threat, but particularly
an advanced threat, may change its characteristics at any time
by requesting a different IP address, switching the system it
uses to launch its attacks, or otherwise altering its appearance.
Therefore, it’s best to use threat intelligence to raise priority
(for example, because of confirming that an IP address is a
known threat) but not to lower priority (for example, because
of noting that an IP address is absent from the feed).
The security analytics process
ultimately results in the generation
of alerts. Each alert indicates the
detection of potentially serious
activity and assigns it a priority.
SIEM dashboards can display the
latest alerts to prompt human
review. An alert itself is concise,
but a SIEM dashboard allows
people to drill down through an
alert to access all the associated
information. See Chapter 5,
“Qualifying Security Intelligence,”
for more information on human
analysis of alerts