When It Comes to Threat Detection and Incident Response, Context Matters

Author: Scott Crane, Director of Product Development, Arbor

In an environment of unrelenting attacks, network packet capture and security analytics are essential for discovering the attack while it is in progress and to provide the intelligence to minimise the damage done as well as to prevent future attacks.

CSOs should now be using security analytics tools for threat detection and incident response. These security analytics tools offer the analyst unprecedented access to data they have always logged and kept, but rarely used.

This also allows security professionals to explore data sets previously deemed too large and complex for everyday use like full packet captures of all network data. Now we are seeing the emergence of tool sets that can not only deal with the incredible amount of information coming in daily, but can also be used to review older data.

The ability to look quickly into data from the past is gold for a security analyst, to see trends and spot previously missed threats means that these analysts are finally moving from a reactive footing to one of informed preparedness.

This new generation of security analytics tools will undoubtedly make analysts more efficient and accurate in their analysis, but it will also mean that the analyst is reaching conclusions faster, contributing to the operational outcomes of security rather than “after action reporting” on incidents they have detected. We are now starting to see tools that can assist an analyst in identifying and following a long running and blended threat, where the tactics change and the attacker uses a variety of methods over a long period of time.

However, most organisations don’t know why they need security analytics in the first place. A year or so ago, the big buzz-term was “big data” and consequently every vendor announced a solution in the information management space, which only confused the market as to what was important and what was just hype.

Security analytics tools don’t actually eliminate the need for a Security Incident and Event Management (SIEM) system. They still have their place in most organisations, because they do an incredible job in coordinating a massive range of disparate information and events into a single interface that can give a security team a picture of what they face right now. However, the major concern is that they achieve this at the expense of context and data fidelity. They simply cannot be used to fully understand everything that has happened during an incident or provide extent and impact, especially if the attacker changes tactics and moves laterally during the attack. The function of SIEM and Security Analytics will most likely merge in the future, but we are not there yet unfortunately.

Companies that are holding back on adopting Security Analytics either still don’t fully understand the problem that it can solve, or have already made a bet on technology adjacent to this space (for example SIEM) and are still trying to realise the return on the previous spend. No one wants to spend a considerable amount in a particular area and then find that they missed a large piece of the puzzle, and that they are still not completely covered.

In my view, the key things for organisations to consider when selecting and implementing Security Analytics solutions is that they need to decide if they are trying to understand their data statistically, looking for averages, trends and metrics to establish baselines, or do they want to work in real-time and understand what is happening and has happened during past events to better plan for the future?

Importantly, they really must be certain that their chosen Security Analytics system will scale, not just in terms of storage, but in how the search and query capability scales. If the solution loses performance as it grows, or as the depth of queries become more complex, it will be of no value for analytics, especially in real-time. Collecting, storing and processing enough data, but doing it quickly and efficiently enough in order to achieve the results required is essential.

When security professionals are deploying a Security Analytics solution, my number one piece of advice is to start small with modest requirements initially. Many data science projects fail because the breadth of requirements is so large that it is impossible to find an initial approach that can satisfy all of the requirements.

Ultimately the organisations that are moving beyond SIEM systems and are striving to understanding the extent and impact of attacks through Security Analytics, rather than just the mere presence of those threats are leading the way. The fact that they have switched their security strategy from reactive to one of informed preparedness will enable them to secure their networks and maintain their online presence.

About the author

Scott Crane is Director of Product Development (Security Analytics) for Arbor Networks, a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks. He was the CEO of Packetloop, a cloud-based Big Data Security Analytics and analysis platform that Arbor acquired in 2013. Scott is an information security advocate focused on the analytics space. He has extensive experience in perimeter security architecture and implementation, having spent the majority of his 20 year IT and security career designing and implementing banking perimeters in Australia and Asia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Incident responseScott craneSecurity Incident and Event Management (SIEM)unrelenting attackssecurity analyticsthreat detectionnetworkCSO Australia

More about Arbor Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott Crane

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts