Marc Willebeek-Lemair, CEO and Founder of Click Security shares his perspective on Real Time Network Security Analytics
A hundred years ago, when someone had a fever, broke an arm, was delivering a baby, or contracted some rare disease, you called the town doctor. The doctor would come to your house and look you up and down and typically prescribe two aspirin and tell you to call him in the morning! The doctor served the entire community and had to have an answer for every type of ailment. Today, we have medical specialists for just about every conceivable malady. The industry is far too specialized to ever believe a single type of doctor will be effective. Well, the challenge most enterprise IT security teams face today is a lot like the town doctor 100 years ago! Often the security team (2 or 3 staff at best) needs to know about every type of security threat against every type of server, client, application, protocol, cloud service, you name it. Furthermore, the list of targets is hyper-dynamic, no longer able to be dictated by IT, yet being preyed upon by a growing, well-armed, well-funded, highly motivated army of adversaries. Most security teams just don’t stand a chance.
So now what? Enter the era of Real-time Network Security Analytics. This technology enables security teams to get ahead of the bad guys and take back control of their networks. Unlike the medical profession, security organizations are just not able to increase their headcount by an order of magnitude or two. By capturing human expertise in the form of analytics (virtual expertise), individual security teams gain a force multiplier to address the ever-evolving, complex threat landscape. Ultimately, given the right data and the right insight into what questions to ask or nuances to look for (analytics), a faster and more accurate diagnosis and treatment is possible.
This, however, poses several challenges:
- Big Data: we need the right data and it needs to be clean and timely
- Big Analytics: we need the right analytics and lots of them running continuously
- Visualization: we need fast and intuitive interfaces for human analysts
Let’s explore each of these challenges:
–The data can be voluminous, but rather than attempt to capture all possible forms of data, it makes more sense to select the data most useful to the analytics. The right combination of log sources, network data, file data and endpoint data along with external threat intelligence is key.
– Ultimately analytics can automate much of what the human analyst performs manually – leveraging broad expertise packaged into software. Analytics can be used to separate the signal from the noise – by converting many independent low-fidelity events into a high-fidelity, actor-based alert. Analytics can also automate the contextualization around an actor – further coloring its severity and accelerating the time to understand what is happening and formulate an appropriate response. Running many different analytics simultaneously in real time against a steady flow of data, however, is a challenge, requiring the right type of stream processing engine.
–100% automation without human intervention is unfortunately not feasible against most modern threats. Often, final diagnosis of a high fidelity alert requires a human analyst. For this human interactive stage, analytics that pre-process context and provide intuitive visualization capabilities can greatly accelerate the security analyst’s ability to respond.
Big Data and Security Analytics – particularly Real-time Network Security Analytics – are powerful levers that can enable IT security “Town Doctors” to combat the increasingly-challenging cyber threat landscape. Think of them as antibiotics and MRIs. They enable you to see what is important, distilled out of the mass of data; be more efficient and effective in analysis and response; and to automate your analyses so that you do not have to do the same thing over and over again.