Security analysis principles and techniques for IT pros

Photographee.eu - Fotolia

This article is part of our Security School: Behavioral analytics, security go hand in hand

Behavioral threat assessment means real-time threat detection

Real-time behavioral threat analytics is the next frontier in security. Learn how a behavioral threat assessment tool can protect your enterprise systems and data.

If yours is like most organizations, your environment is equipped with instruments that detect anomalous behavior...

by users and systems. You're logging information and digging through it to find out what has happened.

And you've probably discovered a couple of whopping flaws with your approach.

First, it's expensive and unsustainable. Very few enterprise organizations can afford to hire dozens of security analysts every year, if they can even find them. (And estimates are that the global market is generating a million unfilled security analyst job openings per year.)

Second, and more important, it's slow. Even if you had the proper staff, the backlog of analysis means that the average breach goes undetected for months, according to many breach reports. And as the time to exploit an attack continues to increase, that could mean trouble.

Behavioral threat assessment to the rescue

The solution? Consider deploying real-time behavioral threat analytics (BTA). Real-time BTA tools come from vendors like Bay Dynamics, Exabeam, Fortscale, Gurucul, LightCyber, Securonix and Splunk (through its Caspida acquisition). Although the algorithms are different from vendor to vendor, real-time BTA products provide a layer of analysis on top of existing monitoring and logging products.

That is, BTA tools create a behavioral threat assessment by plugging into security information and event management tools, intrusion detection systems and intrusion prevention systems and others -- like firewalls -- and importing their log information. They then perform correlation analysis on that information to determine what behavior is normal for users, devices and systems. The next step for developing a behavioral threat assessment is additional analysis to determine whether anomalous behavior is just that -- anomalous, but harmless -- or represents a true threat. BTA products do all this by applying machine learning to the data streams so that security analysts don't need to program in rules about what comprises normal behavior.

That means that one of the huge benefits behavioral threat analytics tools can provide is minimizing the number of alerts and false positives -- things that look like threats but aren't. Organizations that have deployed such systems say they bring the number of false positives down from 500 or more a day -- clearly an unmanageable amount -- to two or three real threats.

Getting BTA launched

To start deploying a BTA, set up selection criteria, beginning with the existing and planned security architecture. What monitoring and logging tools are core to your environment, and what are the data security tools you'll count on for the next few years? Integration into those systems will be a critical selection criterion for your behavioral threat analytics products. You should also think about what form factor you'd prefer: on premises or cloud-based. Most security professionals are uncomfortable uploading security logs to the cloud, so on premises may be the best way to go.

Then you'll want to set up a proof of concept (POC). Ideally, this will be in a self-contained network with a defined set of users, like a stand-alone department or geographical division. Why? Because you'll be able to get a feel for the BTA tool's capabilities -- and if it works out, the business owner of that division or department will be your top evangelist in advocating for the system in the rest of the company.

Assessing a BTA tool

When you run your POC, look for several factors. First, how long does the BTA tool take to "learn" your environment? Most vendors say the tools begin delivering value in a few days -- the sooner, the better.

Second, what's the rate of false positives? Are you seeing a dramatic drop or just a minor reduction? In other words, is the data security tool creating a behavioral threat assessment that is of value to you?

Finally, how does the data security tool display information? Are there dashboards that can be used by less-technical folks like business stakeholders? Are threats prioritized clearly? Does the system recommend actions and next steps?

Once you've run your POC, you should have a feel for the business benefits such a tool can provide. In addition to reining in the unsustainable growth of security teams, a real-time BTA can enable you to respond to threats in a far timelier fashion -- thereby increasing your security stance -- and impressing the board with your new agility. Depending on the system, you also may have a more effective approach to documenting threats and compliance concerns.

The bottom line? If you want to understand the threats occurring in your environment, where they're happening, who's affected and what you should do about them, it is likely you need a behavioral threat assessment. It's time to consider a real-time behavioral threat analytics product. 

Next Steps

Learn how big data analytics can be a useful security tool

Behavioral analytics offers key to conquering human-caused risks

Fitting user behavioral analytics into the enterprise security architecture

This was last published in November 2016

Dig Deeper on Data security technology and strategy