Cybersecurity may never be called a simple discipline that is easy to manage, but when it comes to cybersecurity analytics, the complexity can go off the charts. With that in mind, eSecurity Planet headed to the SAS Global Forum in Orlando earlier this month. What did the market leader in analytics and business intelligence have to say about how to take the pain out of security analytics and its implementation?

First, some data. The company sponsored a survey by the Ponemon Institute, which found that 61% of respondents consider security analytics critical to their organization's cyber defenses. That's why 71% expect to expand its use over the next 12 months. That said, the survey unearthed factors that show that security analytics often struggles to live up the hype. Key findings include:

·        Deployment is not for the faint of heart. 56% of respondents characterized their initial solution deployments as "difficult" or "very difficult."

·        Detecting the key threats: Respondents report gaps between threats they want their solutions to detect and those they're actually finding.

·        Data is a big obstacle. 51% cited data issues as deployment challenges. Even post-deployment, 65% pointed to data difficulties, chief among them: data quality, data integration and data volume.

Perfect IT security impossible

It fell to Alex Anglin, senior technical consultant at SAS, to address the cybersecurity data problem. He began by acknowledging that perfect information security is impossible due to economic, technological and psychological factors.

On the economic side, it costs very little to attack, and the potential gain is high. And on the other side of that attack, it is very expensive to set up and run the necessary defenses. This loads the dice heavily in favor of the bad guys.

"The volume of data to review in order to understand your security posture is immense," said Anglin. "Defenders need to be perfect and attackers just need to get through once. And once inside, it can take weeks or even months to detect them."

On the technology front, the simple fact is that no software vendor guarantees perfect security. They may promise the world, but the small print in the contract absolves them of guilt in the event of a breach. Anglin's advice is to apply hotfixes quickly.

Psychologically, the cybercriminal is ably assisted by the gullibility of people. As the weak link in most security defenses, people are prone to be tricked by the same old social engineering tricks time after time.

Analytics offers a security edge

Analytics can help even the odds to some degree. The fact is that there is too much information coming at IT on an ongoing basis. It's a rare person in IT who could boast of a complete grasp of every system, every piece of hardware, ever device, application and network layer. Analytics is a tool that can crunch through mountains of data and make life easier for a security professional. It achieves this by recognizing potential threats and responding to them. But success depends upon the right approach to data management.

The approach used by SAS Cybersecurity is heavily based on the analysis of streaming data, although some batch processes are also used. For streaming data, NetFlow is heavily relied on. The NetFlow network protocol collects IP traffic information and monitors network traffic. It is a handy way to view what is happening with network traffic flow and to unearth anomalies. But with NetFlow, there are billions of records every day. To sort through that much big data, rapid analysis is called for.

"Many security tools look at the host level, but it is computationally easier to move up the stack from the network layer to the host layer than it is to move down," said Anglin. "Holistic analysis lower in the communication stack at the packet level isn't really feasible at this time outside of certain military use cases or when focused on high-value assets or points of interest."

To be successful, however, security analytics must incorporate more than just NetFlow. It also brings in meta data, authentication event logs and web proxy data. In other words, you have to understand the network and its subnets, the users and the organizational structure and tie this into the analytics.

Another useful source of analysis data is IT assets running on the network. The Configuration Management Database (CMDB) can supply this information. Finally, threat intelligence data should be ported in – phishing sites, file hashes associated with malware, etc.

"You have to do all that if you want to find incidents that can't be detected by other security systems," said Anglin. "However, analytics does not replace other security tools, it augments them."

When analytics is added to the security arsenal, Anglin lets the system run for a week or two to establish what is normal network traffic. Such systems utilize unsupervised machine learning techniques to categorize behavior and user types. The end result is a clear understanding of the organization and its traffic. This is a vital step in avoiding false positives or generating too many alerts.

The SAS approach is to detect suspicious device behavior on a network. Each device is assigned a risk score from one to 99 based on factors such as analytical measures of device activity and of the entity when compared to its peer group. Say, for example, a device was communicating with too many external IP addresses compared to its peer group, or too much data in versus data out. The risk score is calculated based on assessed severity and an alert is generated for the device.

In the event that many hosts are potentially compromised, Anglin urged organizations to adopt a sensible approach.

"Doing forensics on compromised hosts is expensive so focus on a few hosts – those most likely to have been compromised," he said. "If you find an actual compromise, find out what other assets and credentials are linked to it in case they have been infected."  

Underutilized data sources key to security

Anglin emphasized underutilized data sources, and Stu Bradley, vice president of Cybersecurity Solutions at SAS, continued that theme. He described SAS Cybersecurity as behavioral analytical detection that looks at data sources underutilized in security.

"We enrich NetFlow with a more robust data set and run detection models to detect threats," he said.

While the SAS show included plenty of enhancements to existing analytics products, none were specific to security. Bradley said a year-end release of SAS Cybersecurity would expand its full security analytics platform scaled for large enterprises. The company's strategy has been to focus on scale first to handle the volumes of security data. With that achieved, it is now broadening its portfolio.

"The big problem in cybersecurity is being able to scale well enough to deal with hundreds of thousands of events per second," said Bradley.

As a result, SAS started with a few data sources, especially NetFlow, doing network traffic, identity, user and entity behavior and data exfiltration analytics. Now that the company is happy with performance based on those parameters, it is ready to roll out more. Look, therefore, for the addition of more data sources and greater analytical capabilities. Bradley mentioned more application data, end point data, DNS information and integration with other security databases and apps as some of the new features coming later in the year, as well as more analytical routines.

"We are also opening up the platform to customers to be able to add the data sources they want and develop their own analytic capabilities," said Bradley.