Analytics are an incredibly powerful source of information that can help teams drill down into often obscure or hard-to-analyze information, and make sense of data they wouldn’t normally have collected and organized.
In endpoint security, its becoming more important to manage information so teams can review, digest and react to prioritized data sets that might map to areas of expertise across the team, certain types of attacks or even responsibilities such as network vs. applications.
Analytics aren’t really a new concept, but endpoint security platforms that are providing new intelligence to organizations are starting to emerge, fusing strong security capabilities with analytics engines to produce next-generation views of data.
A recent article in Network World and CSO Magazine drew my attention to the fact that the security industry has now acknowledged that there is a data challenge in collecting cyber security information. Part of it is because enterprises are experiencing an overwhelming array of attacks, while part of it is because teams aren’t sure what they’re looking at in terms of singular attacks, malware and broader threats.
An interesting point made by John Pescatore of SANS Institute in the article, relative to CISOs and how they’ve been traditionally deriving data from tools, was that SIEM solutions had provided analytics that worked well for report generation, but lacked substantially in looking at events from a forensic standpoint.
CISO’s are increasingly looking for new ways to slice and dice data. However, big data, which according the Jon Oltsik, essentially means you have more data than you know how to analyze, can be overwhelming when its cyber security information based on the volume of known and unknown attacks.
What organizations need today is an approach that allows the collection of endpoint security data from attacks occur real-time, to be able to respond in real-time. Building on that, real-time forensic data analytics over time will help security teams correlate threats across the enterprise with a better understanding of ‘hot spots, or target areas.
This approach (hint, its what we do at CounterTack) to big data cyber security analytics will do two things:
It will give teams a substantially better contextual impact of individual attacks and broader threats. The context of precisely how and where adversaries are attacking you, as communicated through detailed, real-time analytics gives security teams the ability to detect, remediate, resist and analyze attacks.
Comprehensive, forward-looking trend analyses will make more sense whether they are segmented into malware attacks, APTs, unknown attacks, collections of attacks and even malicious insider behavior.