What is security analytics?
Security analytics is a cybersecurity approach that uses data collection, data aggregation and analysis tools for threat detection and security monitoring. An organization that deploys security analytics tools can analyze security events to detect potential threats before they can negatively affect the company's infrastructure and bottom line.
Security analytics combines big data capabilities with threat intelligence to help detect, analyze and mitigate insider threats, persistent cyber threats and targeted attacks from external bad actors.
Benefits of security analytics
Security analytics tools provide organizations with the following key benefits:
- Security incident and anomaly detection and response. Security analytics tools analyze a wide range of data types, making connections between different events and alerts to detect security incidents or cyber threats in real time.
- Regulatory compliance. Security analytics tools help enterprises comply with government and industry regulations, such as Health Insurance Portability and Accountability Act and Payment Card Industry Data Security Standard. Security analytics software can integrate a variety of data sources, giving organizations a single, unified view of data events across a variety of devices. This enables compliance managers to monitor regulated data and identify potential noncompliance.
- Enhanced forensics capabilities. Security analytics tools provide companies insights into where attacks originated from, how their systems were compromised, what assets were compromised and whether there was any data loss. These tools can also provide timelines for any incidents. The ability to reconstruct and analyze incidents can help organizations shore up their cybersecurity strategy to prevent similar incidents from happening again.
Security analytics tools
Security analytics tools detect behaviors that indicate malicious activity by collecting, normalizing and analyzing network traffic for threat behavior. Providers that specialize in security analytics offer machine learning tools for applying security models to traffic across a company's assets.
Security analytics tools include the following:
- WildFire from Palo Alto Networks detects and prevents zero-day malware using a combination of malware sandboxing, signature-based detection and malware blocking.
- Sumo Logic is a cloud-native, machine data analytics service that enables organizations to monitor, troubleshoot and resolve operational issues and security threats.
- Logz.io Security Analytics combines the ELK stack -- a collection of three open source products: Elasticsearch, Logstash and Kibana -- with advanced security analytics tools to help enterprises identify and remediate threats to their systems.
Security analytics use cases
Companies can deploy security analytics for a wide variety of reasons. Some common use cases are the following:
- Analyzing network traffic to detect patterns indicating potential attacks.
- Monitoring user behavior, including potentially suspicious activity.
- Detecting potential threats.
- Detecting data exfiltration.
- Monitoring employees.
- Detecting insider threats.
- Identifying compromised accounts.
- Identifying improper user account usage, such as shared accounts.
- Investigating malicious activity.
- Demonstrating compliance during audits.
- Investigating cybersecurity incidents.
SIEM vs. security analytics
Security information and event management (SIEM) systems collect log data generated by monitored devices -- e.g., network equipment, computers, storage, firewalls, etc. -- to identify specific security-related events occurring on individual machines. They then aggregate this data to determine what's occurring across an entire system. This enables organizations to identify any variations in expected behavior so they can formulate and implement the necessary responses.
Legacy SIEM systems aren't built to handle modern continuous integration/continuous delivery (CI/CD) lifecycles based on frequent build and deployment cycles. As such, they can't handle the massive amounts of data these methods generate.
Unlike legacy SIEM systems, security analytics takes advantage of cloud-based infrastructure. And, since cloud storage providers can provide almost unlimited data storage that can scale according to an organization's needs, the company is not limited by the corporate data storage and retention policies. In addition, security analytics can collect and store data more efficiently. It's also better at handling modern DevOps practices and CI/CD systems.
Big data security analytics
IT security professionals must ensure that their companies' systems are secure, that cyber threat risks are kept to a minimum and that they are complying with data governance regulations. Consequently, one of their primary responsibilities is monitoring and analyzing huge amounts of log and event data from servers, network devices and applications.
Big data security analytics refers to the techniques and strategies used to analyze vast amounts of security data. Big data security analytics can be divided into two functional categories: performance and availability monitoring (PAM) and SIEM.
Big data security analytics tools can discover network devices and automatically collect each device's event and configuration data. Because big data analytics systems require a comprehensive view of the enterprise's security data, they have to integrate with other third-party security tools, as well as Active Directory or Lightweight Directory Access Protocol servers.
Editor's note: This article was written by Linda Rosencrance in 2020. TechTarget editors revised it in 2023 to improve the reader experience.