As enterprise IT infrastructures become increasingly complex, reducing mean-time-to-detect and mean-time-to-respond metrics have become top priorities for every security team.
Faced with rising volumes of traffic and alerts and the emergence of new threat types, teams are racing to find ways to make themselves more efficient and, as a result, their organisations more secure.
According to a recent survey by Forrester Research, 96% of enterprises cite improving their security monitoring capabilities as a top priority. This is despite the fact that a wide range of monitoring systems have been available and in use for many years.
The survey also found that, in 2016, 53% of firms surveyed reported they had experienced at least one security breach, and for many it had happened on multiple occasions. Most breaches involved theft of personally identifiable information (31%), authentication credentials (30%), intellectual property (30%) and corporate financial data (29%).
The monitoring challenge
A key challenge faced by security teams is the bottleneck caused by too much work being loaded onto too few people. In many IT departments, a large portion of the security team's time is spent on day-to-day activities rather than longer term strategies. This challenge is becoming even more acute due to a widespread shortage of people with the required security skills.
Much of the problem stems from the fact that, in many instances, security analysis is still a manual activity. Security teams gather information from a wide variety of sources and then use a series of manual tools to look for problems. For some teams there are simply too many security alerts coming in to allow efficient and effective analysis of them all.
In fact, industry research shows that this lack of speed and agility when responding to a suspected data breach is the most significant issue facing enterprise security teams today.
The evolution of security analytics
It's clear that traditional rules-based security information management (SIM) techniques have proven to be ineffective for many organisations. While offering some support, they tend to be difficult to maintain and only find known threats.
As a result, increasing numbers of organisations are looking for a new set of tools and many are finding that analytics tools can provide the extra level of support they require. Security Analytics tools take large amounts of data and use machine learning techniques to provide real-time monitoring analysis. They can thus facilitate rapid incident detection and response.
Security analytics tools can also make use of both internal and external threat intelligence. They can examine large volumes of historical data and so provide increased context for responders. This, in turn, can enable more rapid investigations and response.
The primary purpose of security analytics is to provide improved visibility for security teams into their IT infrastructure and any threats it might be facing. Where it is difficult (if not impossible) for humans to monitor everything at all times, this is what the tools have been designed to do.
Further benefits are to be gained when security analytics tools are integrated with other existing security tools. This can streamline and automate the flow of information and ensure that the machine learning capabilities can be put to work on the large volumes of data that need to be analysed.
Factors to consider when selecting an SA platform
While security analytics tools can deliver significant benefits to an organisation, it is not a case of taking a one-size-fits-all approach to their adoption. The security team should carefully consider the type of monitoring that would be most appropriate and then select tools to match.
It's also important to consider the skill base of the team in place and how the tools could best support them as too much complexity could actually be less beneficial than having no tools at all.
Once selected and in place, the tools need to be configured to match the organisation's specific requirements.
The selection of the right tools will allow many currently manual processes to be automated. Teams can put security policies in place and the tools will then ensure compliance automatically. As a result, external threats can be managed with far less requirement for human intervention.
While the number and nature of security threats will continue to grow and evolve, having the correct security analytics tools in place will allow teams to maintain the required level of vigilance.
Freed from the need to undertake laborious manual tasks, they will instead be able to focus on maintaining robust overall security at all times.