e-guide security analysis & analytics tools buyer’s...

E-guide

Security Analysis & Analytics Tools Buyer’s Guide You expert guide to security analysis and analytics tools

of 36

In this e-guide

Introduction to security analytics

tools in the enterprise

Three reasons to deploy

security analytics software in

the enterprise

Six criteria for procuring security

analytics software

Comparing the top security

analytics tools in the industry

E-guide

Introduction to security analytics tools in the enterprise

Dan Sullivan

Expert Dan Sullivan explains how security analysis and analytics

tools work, and how they provide enterprises with valuable

information about impending attacks or threats.

Businesses are responding to the growing sophistication and number of

information security threats by deploying tools that extend the capabilities of

their current security infrastructures. For smaller companies, this means

deploying deeper network defenses and endpoint protections. For large and

midsize enterprises, however, it means deploying security analysis tools and

analytics software to collect, filter, integrate and link diverse types of security

event information in order to gain a more comprehensive view of the security of

their infrastructure.

These types of security applications go beyond traditional security information

and event management (SIEM) tools to incorporate additional data and apply

more in-depth analysis. Consequently, they correlate events occurring on

different platforms to detect suspicious patterns of activity that span multiple

devices.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Security analytics tools are not meant to replace existing security controls and

applications, but rather complement them. In fact, security analytics tools

analyze log and event data from applications, endpoint controls and network

defenses.

The need for security analytics tools

The 2013 Data Breach Investigations Report from Verizon found that 84% of

successful attacks on IT infrastructures compromised their targets within hours,

while 74% of attacks were not discovered for weeks -- and sometimes months

or years. One of the reasons it is so challenging to detect attacks is they happen

quickly. In addition, data indicating an attack is often dispersed across network

devices, servers, application logs and endpoints.

This makes it difficult to analyze a breach in progress and even hinders the

ability to assess its impact. Furthermore, according to a Ponenom Institute

report, 55% of survey respondents that experienced a data loss could not

identify for certain what data was stolen. Improving the speed of detection and

analyzing the impact of an attack are key drivers to adopting security analysis

and analytics.

of 36

In this e-guide





the enterprise


analytics software



E-guide

How security analytics tools work

Security analytics tools help organizations implement real-time monitoring of

servers, endpoints and network traffic, consolidate and coordinate diverse event

data from application and network logs, and perform forensic analysis to better

understand attack methods and system vulnerabilities. Taken together, these

functions help security professionals assess how systems were compromised,

which systems were affected and if an attack is still underway.

This is just a subset of the types of analyses used for predictive and prescriptive

analytics. In addition, different vendors are likely to provide a variety of

algorithms supporting each of the different methods.

Security analysis tools do this by providing several broad services to meet the

needs of security professionals. These include continuous monitoring, malware

detection, incident detection and data loss reporting.

If a security breach or threat is detected, security analytics software can help by

collecting network, log and endpoint data. This enables timeline and session

analysis that can shed light on how the breach occurred and what systems were

affected.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Common analysis tool features

A number of features are common to security analytics software. These

systems gather data from server and application logs, endpoint devices,

network packets and NetFlows. In addition, they include advanced analytic

capabilities with regards to the packet and NetFlow analysis, as well as event

correlation.

Expect to see analytic methods based on both rules as well as statistical or

machine learning-derived analysis. A statistics-based method might detect

anomalous behavior, such as higher-than-normal traffic between a server and a

desktop, for example. This could indicate a suspicious data dump. In other

cases, a machine learning-based classifier might detect patterns of traffic that's

previously been seen with a particular piece of malware.

Security analytics tools also offer a single point of access to event data. The

consolidated view is useful for implementing features -- such as timeline

reconstruction and forensic analysis -- that support workflows for security

analysts. They usually offer tools for compliance reporting, as well. And since

visualization methods are almost always required for any complex analysis,

expect to see those included in any security analytics product worth

considering.

of 36

In this e-guide





the enterprise


analytics software



E-guide

One of the most important aspects of security analytics software is integrating

data from different devices and applications, as a single data source may

provide insufficient information to understand an attack. For example, a security

analyst may need to synchronize network packet data with application log data

and endpoint device data to get a comprehensive picture of the steps used to

execute an attack.

Support for regulatory compliance is another common feature in security

analytics tools, as it is important to be able to demonstrate that proper security

controls are in place, functioning and -- most importantly -- being used to

mitigate the risk of breaches.

Deploying analytics and analysis tools

Security analytics tools are deployed as software, virtual appliances or

hardware appliances.

A dedicated hardware appliance is an appropriate choice for high-traffic

networks. Vendors can tailor the hardware and software configuration to the

demands of security analytics. These include the need to process large volumes

of network traffic -- steadily receiving high volumes of log data -- and to apply

computationally intensive analytic methods to that data.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Software and virtual appliances are options when security analytics tools are

installed and deployed on existing company hardware that is sufficiently

powerful enough to keep pace with the load. These options are well-suited to

cases where organizations have the available server capacity to host a security

analysis system, and are reasonably confident that they have the computational

power in place to scale the deployment to meet any potential increases in load

Evaluation and costs

When evaluating security analytics tools, it is important to consider not just their

analytic capabilities, but scalability and availability as well. Companies must

anticipate the need to scale these implementations as traffic increases. Also,

consider the need for high availability. If the security analytics platform is down

for even a short time, informative events in an attack may be missed.

Cost is also a factor. Hard costs will include software licensing, hardware and

training. Security analytics tools collect and preprocess data, but human

judgment is still required to interpret the data.

It would also be prudent to take advantage of training from vendors to get the

most out of a security analysis tool and to learn best practices from more

experienced practitioners. A few crucial tips on how to efficiently filter data or

create an insightful visualization could be well worth the time spent in training.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Be sure to anticipate harder-to-quantify costs, such as learning how to perform

forensic analysis with the new tools and configuring the tools to collect data

from existing security applications.

The need for security analytics tools is growing

Security analytics tools are becoming important as automated security

measures such as antimalware and vulnerability scanning are becoming

increasingly challenged by emerging threats. These applications complement,

they do not replace, existing security controls, however.

The purpose of security analytics is to detect attacks as fast as possible, enable

IT professionals to block or stop an attack and provide detailed information to

reconstruct an attack. They do this by collecting, correlating and analyzing a

wide range of data. These tools also provide analysis environments for forensic

evaluations and attack reconstructions. That way companies can study the

methods used and vulnerabilities exploited to breach their systems and address

weaknesses. Support for regulatory compliance is another common feature.

Stay tuned for the next article in this series, which will examine the most

common deployment scenarios and the types of companies that would benefit

the most (and least) from the technology. It will also outline how IT departments

can make the business case for implementing advanced security analytics to

executive management.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Next article

of 36

In this e-guide





the enterprise


analytics software



E-guide

Three reasons to deploy security analytics software in the enterprise

Dan Sullivan

Expert Dan Sullivan outlines three use case scenarios for security

analytics tools and explains how they can benefit the enterprise.

If there were any doubts about the sophistication of today's cyberthreats, the

2014 attacks on Sony Corporation put them to rest. On November 22, 2014,

attackers hacked the Sony network and left some employees with compromised

computers displaying skulls on their screens, along with threats to expose

information stolen from the company. Sony, by all accounts, was the subject of

an advanced persistent threat attack using exploits that would have

compromised the majority of security access controls.

The scope of the attack forced employees to work with pen, paper and fax

machines, while others dealt with the repercussions of the release of

embarrassing emails. The coverage around the Sony breach may rightly leave

many organizations wondering if their networks are sufficiently protected and --

of particular interest here -- whether security analytics software and tools could

help them avoid the fate of Sony.

of 36

In this e-guide





the enterprise


analytics software



E-guide

The short answer is, yes. Just about any business or organization with a

substantial number of devices -- including desktops, mobile devices, servers

and routers -- can benefit from security analytics software.

It is important to collect as much useful data as possible to supply the security

analytics tool with the raw data it needs to detect events and alert

administrators. So before deploying a security analytics tool, it helps to

understand how such a product will fit within an organization's other security

controls and the gaps it will help fill in typical IT security use cases.

Compliance

Compliance is becoming a key driver of security requirements for more

businesses. In addition to government and industry regulations, businesses are

implementing their own security policies and procedures. To ensure these

regulations, policies and procedures are implemented as intended, it is

imperative to verify compliance. This is not a trivial endeavor.

Consider for a moment how many different security controls may be needed to

implement a network security policy that is compliant with various regulations

and security standards. For instance, antimalware systems might scan network

traffic while endpoint antimalware operates on individual devices. Then there

are firewalls, which are deployed with various configurations depending on the

type of traffic allowed on the sub-network or server hosting the firewall. Identity

of 36

In this e-guide





the enterprise


analytics software



E-guide

management systems, Active Directory and LDAP servers -- meanwhile --- log

significant events, such as login failures and changes in authorizations. In

addition to these core security controls, an enterprise may have to collect

application-specific information from other logs. For example, if a salesperson

downloads an unusually large volume of data from the customer relation

management (CRM) system, the organization would want to know.

When companies have a small number of servers and a relatively simple

network infrastructure, it may be possible to manually review logs. However, as

the number of servers and complexity of the network grows, it is more important

to automate log processing.

System administrators routinely write shell scripts to process files and filter data.

In theory, they should be able to write scripts in awk, Perl, Ruby or some other

scripting language to collect logs, extract data and generate summaries and

alerts. But how much time should system administrators invest in these tasks?

If they write a basic script that works for a specific log, it may not easily

generalize to other uses. If they want a more generalized script, it will likely take

longer to write and thoroughly test. This presents significant opportunity costs

for system administrators who could better spend their time on issues more

closely linked to business operations.

This is not to imply that the functionality provided by these scripts is not

important -- it is very important, especially when it comes to the kind of data

of 36

In this e-guide





the enterprise


analytics software



E-guide

required for compliance. The question is how to most efficiently and reliably

collect log data, integrate multiple data sets and derive information that can help

admins make decisions about how to proceed in the face of potentially adverse

events.

Security analysis tools are designed to collect a wide variety of data types, but

there is much more to security analytics than copying log files. Data from

different applications and servers has to be integrated so organizations can

view a unified timeline of events across devices, for example. In addition, these

solutions include reporting tools that are designed to help admins focus on the

most important data without being overwhelmed with less useful detail. So, in a

nutshell, the economic incentive of security analytics vendors is to provide

solutions that generalize and relieve customers of the burden of initial

development and continued maintenance.

Security event detection and remediation

The term "connecting the dots" is often used in security and intelligence

discussions as a metaphor for linking-related -- but not obviously connected --

pieces of information. Security expert Bruce Schneier wrote a succinct post on

why this is a poor metaphor: In real life the "dots" and their relation to each

other is apparent only in hindsight; security analytics tools do not have mystical

of 36

In this e-guide





the enterprise


analytics software



E-guide

powers that allow them to discern forthcoming attacks or to "connect the dots"

auto-magically.

A better metaphor is "finding needles in a haystack," where needles are

significant security events and haystacks are logs, network packet and other

data about the state of a network. Security analytics tools, at a minimum, should

be able to alert organizations to significant events. These are defined by rules,

such as a trigger that alerts the organization to failed login attempts to

administrator accounts or when an FTP job is run on the database server

outside of normal export schedules.

Single, isolated events often do not tell the whole story. Attacks can entail

multiple steps, from sending phishing lures to downloading malware and

probing the network. Data on these events could show up in multiple logs over

an extended period of time. Consequently, finding correlated events can be very

challenging, but it is something security analytics software can help with. It is

important to emphasize that security analytics researchers have not perfected

methods for detecting correlated events, however. Organizations will almost

certainly get false positives and miss some true positives.

These tools can help reduce the time and effort required to collect, filter and

analyze event data, though. Given the speed at which attacks can occur, any

tool that reduces detection and remediation time should be welcomed.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Forensics

In some ways, computer forensics -- the discipline of collecting evidence in the

aftermath of a crime or other event -- is the art of exploiting hindsight. Even in

cases where attacks are successful and data is stolen or systems

compromised, an enterprise may be able to learn how to block future attacks

through forensics. For example, forensic analysis may reveal vulnerabilities in

an organization’s network or desktop security controls they did not know

existed.

Security analytics tools are useful for forensic analysis because they collect

data from multiple sources and can provide a history of events before an attack

through the post-attack period. For example, an enterprise may be able to

determine how an attacker initially penetrated its systems. Was it a drive-by

download from a compromised website? Did an executive fall for a spear

phishing lure and open a malicious email attachment? Did the attacker use an

injection attack against one of its Web applications?

If an organization is the victim of a cybercrime, security analytics tools can help

mitigate the risk of being a victim to multiple forms of the same type of exploits

in the future.

of 36

In this e-guide





the enterprise


analytics software



E-guide

The need for incident response planning

In addition to the use cases outlined above, it is important to emphasize the

need for incident response planning. Security analytics may help enterprises

identify a breach, but it cannot tell it how to respond -- this is the role of an

incident response plan. Any organization contemplating a security analytics

application should consider how it will use the information the platform provides.

Its security practice should include an incident response plan, which is a

description of how to assess the scope of a breach and what to do in response

to an attack.

A response plan typically includes information on how to:

Make a preliminary assessment of the breach;

Communicating details of the breach to appropriate executives, application

owners, data owners, etc.;

Isolating compromised devices to limit damage;

Collecting forensic data for evidence and post-response analysis;

Performing recovery operations, such as restoring applications and data

from backups; and

of 36

In this e-guide





the enterprise


analytics software



E-guide

Documenting the incident.

Security analytics tools help detect breaches and collect data, but it is important

to have a response plan in place prior to detecting incidents. Enterprises do not

want to make up their response plan as they are responding to an incident.

There is too much potential for error, miscommunication and loss of evidence to

risk an ad hoc response to a security breach.

Deploying security analytics software

For organizations that decide to proceed with a security analytics deployment,

there are several recommended steps to follow, including: identifying operations

that will benefit from security analytics (e.g. compliance activities);

understanding the specific tasks within these operations, such as Web filtering

and traffic inspection; determining how the security analytics tool will be

deployed given their network architectures; and identifying systems that will

provide raw data to the security analytics tool. These topics will be discussed in

further detail in the next article in this series.

Next article

of 36

In this e-guide





the enterprise


analytics software



E-guide

Six criteria for procuring security analytics software

Dan Sullivan

Security analytics software can be beneficial to enterprises. Expert

Dan Sullivan explains how to select the right product to fit your

organization's needs.

Security analytics software analyzes log and event data from applications,

endpoint controls and network defenses to assist organizations in improving

their security posture. They help enterprises better understand attack methods

and system vulnerabilities in order to thwart attacks before they happen, as well

as see which systems have been affected if an attack is underway.

Enterprises have a wide range of options available to them when choosing

security analytics software or products, which can make the decision confusing

for organizations. Different products, for example, emphasize different key

characteristics, such as deployment options, range of analysis and cost. The

first step to selecting security analytics tools is to understand your organization's

priorities.

Obviously, cost is a concern to virtually all enterprises. Other considerations will

vary from one organization to another, and may include:

of 36

In this e-guide





the enterprise


analytics software



E-guide

Deploying security analytics software on virtual machines versus dedicated

appliances;

Expecting volumes of network traffic to grow substantially in the near future;

Possible weaknesses in compliance practices; and

The ability to perform root cause analysis and detailed forensic analysis in

the event of a breach.

As organizations assess their priorities for security analytics software, it can

help to keep in mind several criteria for evaluating it. This article outlines the

following features to assist in evaluating the merits of different products:

Deployment models

Modularity

Scope of analysis (types of threats)

Depth of analysis (network layers)

Forensic support

Monitoring, reporting and visualization

Consider the relative importance of each of these features. For example, if an

organization's security team feels overwhelmed with data, it must pay particular

attention to monitoring, reporting and visualization, as well as scalability. The

chosen system will need to ingest potentially large volumes of data (scalability)

and then distill it down to a form that conveys key information to security

professionals (monitoring, reporting and visualization). However, an

organization that already has adequate coverage for some threats may look to

of 36

In this e-guide





the enterprise


analytics software



E-guide

emphasize modularity. This will reduce costs by avoiding redundant capabilities

within a security infrastructure.

Security analytics software deployment

Security analytics tools are deployed as appliances or virtual machines, or are

installed as software on a dedicated server.

Appliances combine hardware and software in a single product. This allows

system administrators to add a device to the network, perform necessary

configuration and start collecting data. Appliances minimize the system

configuration work for customers. Small businesses or IT departments with

limited resources may be particularly interested in an appliance. Also, vendors

can apply lessons learned and best practices for configuring their systems,

enabling more rapid deployments and potentially fewer support calls during

installation.

A virtual machine implementation allows customers to utilize existing capacity in

a virtualized environment. This may be a good option for small and midsize

businesses or remote offices. As the volume of data grows, system

administrators can dedicate additional CPU and RAM resources to

accommodate additional loads. A virtual machine implementation will entail

more administrative overhead than an appliance, but consider that relative to

the benefits of using existing hardware.

of 36

In this e-guide





the enterprise


analytics software



E-guide

The installed software option gives system administrators the most flexibility

with regards to deploying a security analytics tool. Applications can be installed

on dedicated servers or in virtual machine environments. Additionally,

containers might be used to standardize a configuration that is deployed to

multiple remote offices. Containers can provide some of the advantages of a

virtualized environment without the need for a hypervisor, potentially reducing

system management overhead.

Modularity

Security analytics software may encompass a wide range of services, from

analyzing low-level network traffic to higher-level application protocols. Some

enterprises may tailor analytics tools for particular applications, however -- such

as email -- and therefore don't need additional email capabilities in a security

analytics tool. Large security platforms often offer modular security options for

specific areas, such as Web-, email- and file-based threats. The ability to

choose only the functionality an organization needs can help control costs,

another key evaluation criterion.

Scope of analysis (types of threats)

Threats are constantly evolving. Malware that pushed the envelope of malicious

capabilities several years ago is now commonplace and probably readily

of 36

In this e-guide





the enterprise


analytics software



E-guide

accessible to a wide range of cybercriminals. Security analytics software

requires the ability to analyze multiple types of malicious activity, as well as

patterns of combined activities.

Malicious activities can be as simple as probing for open ports on a firewall to

sending subtle spear phishing lures to executives. Advanced persistent attacks

(APTs) employ multiple techniques to gain access to data, applications and

network resources. APTs may start with successfully downloading remote

control software from a compromised website. The attacker then moves on to

explore the network, infect other vulnerable machines and collect intelligence

about users and applications.

Buyers should consider the types of data analyzed by security analytics tools.

Can it detect anomalous network traffic from a client device that is probing other

devices and collecting network topology information? Can it correlate related

events, such as visiting a potentially compromised website and then starting

unusual patterns of network communication? Does the security analytics

software have capabilities to analyze application logs, server logs and alerts

generated by other security devices?

Also consider the need for timely security data. Some vendors maintain global

intelligence networks that constantly collect and analyze data about malicious

activities. These can act as early warning tools and help identify emerging

threats.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Threat analysis is challenging. There will likely be false positives. Organizations

with limited security analytics capabilities should carefully evaluate the scope of

analytics they can effectively use.

A closely related topic to scope of analysis is depth of analysis.

Depth of analysis (network layers)

The Open Systems Interconnect model of networks describes seven layers of

networks, from low-level physical and data link layers to the upper presentation

and application layers. Security analytics tools that can collect and analyze data

from the data link to the application layers have substantial depth of analysis

capabilities.

Application-level analysis is particularly important for detecting malicious activity

that escapes detection at lower levels. For example, an injection attack from an

unknown IP address might be blocked by servers accepting incoming

connections only from known devices. If, however, the injection attack originates

from a trusted but compromised device, the lower network level-based controls

will not block the attack.

A security analytics tool that analyzes application-layer protocols may be able to

identify suspicious activity or malformed communications between servers and

trusted devices.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Forensic support

While the goal of security analytics is to prevent breaches, there will be times

when enterprise infrastructure is compromised. At that point, it is important to

implement an incident response plan, which will require forensic support.

This includes capabilities such as identifying devices involved in a compromise,

replaying network traffic to determine how devices and security measures were

compromised, and correlating data from multiple sources and across the time

span of the attack.

Many of the tools and reporting techniques used in forensic analysis are useful

for ongoing monitoring.

Monitoring, reporting and visualization

A key reason to deploy a security analytics software platform is to have a single

point of access to security data from across the enterprise. Simply collecting

data is not enough: data must be integrated and correlated, events must be

identified and assessed, suspicious events must be reported and monitoring

tools should filter out inconsequential events.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Analysts need summarized data to understand network and device activity at a

high level, but they also require detailed data about suspicious events. These

needs are met by the monitoring, reporting and visualization tools of a security

analytics platform.

Security analytics software: What to consider

Consider the six key factors when accessing security analytics products:

deployment models, modularity, scope of analysis, depth of analysis, forensic

support, and monitoring, reporting and visualization.

Companies looking for basic security analytics with minimal overhead should

consider appliances and evaluate options based the quality of reporting and

ability and appropriate scope. In cases where the ability to learn from breaches

is a top concern, carefully consider forensic features. If the security analytics

system will be an integral part of day-to-day management, be sure to assess

reporting and visualization capabilities.

Some features will likely provide more benefit than others and it is important to

understand the relative importance of each of these features to your

organization, especially when cost considerations are taken into account.

of 36

In this e-guide





the enterprise


analytics software



E-guide

In our next feature, we will apply the lessons learned and evaluation criteria

outlined in this article to the products, tools and solutions available from the top

security analytics vendors on the market today.

Next article

of 36

In this e-guide





the enterprise


analytics software



E-guide

Comparing the top security analytics tools in the industry

Dan Sullivan

Expert Dan Sullivan examines the top security analytics products to

help readers determine which may be best for their organization.

Security analytics tools gather, filter, integrate and link diverse kinds of security

event data in order to gain a more all-inclusive view of the security of an

organization's infrastructure. Just about any organization with an extensive

number of devices -- from desktops to mobile devices to servers and routers,

etc. -- can benefit from security analytics.

The security analytics market is changing rapidly, however. Vendors are

merging, developers are adding new capabilities, and tools once deployed

exclusively on-premises are now offered as cloud services as well. And, in spite

of all these rapid changes, businesses are still facing fairly constant

requirements, such as the ability to analyze logs, correlate events and generate

alerts. This fourth and final feature in our series on procuring and buying

security analytics tools considers the major offerings on the market and offers

advice on choosing an appropriate product for your needs.

of 36

In this e-guide





the enterprise


analytics software



E-guide

There is no single taxonomy of security analytics use cases that best organizes

all requirements, but common requirements patterns include:

Basic security analytics with minimal overhead

Large enterprise use cases

Focus on advanced persistent threats

Focus on forensics

An ensemble of security tools and services

These categories emphasize varying needs for key security analytics features,

such as deployment models, modularity, scope and depth of analysis, forensics,

and monitoring, reporting and visualization. Several products are discussed,

including Blue Coat Security Analytics Platform, Lancope Stealth Watch

System, Juniper Networks JSA Series Secure Analytics, EMC RSA Security

Analytics NetWitness, FireEye Threat Analytics Platform, Arbor Networks

Security Analytics, Click Security Click Commander and Sumo Logics' cloud

service.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Basic security analytics with minimal overhead

Small and midsize organizations mare often tempting targets for attackers. They

may not have as much valuable data as larger enterprises, but they often

present fewer obstacles to successfully attack. Companies that are subject to

industry regulation, such as Payment Card Industry Data Security Standard

(PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA)

compliance, must have security controls in place to protect personally

identifiable information and, in the case of HIPAA, protected health information.

Security analytics tools can help mitigate the risk of data breaches and other

attacks, but they should meet several criteria to fit the constraints of small and

midsize businesses.

Deployment models should minimize administrative overhead, for example.

Appliances and cloud services typically meet these criteria, but virtual machine

deployments may also offer low overhead implementations.

Sumo Logic's cloud service is a good example of a service targeted to small and

midsize organizations. The log analytics service offers a single point of

management dashboard for monitoring applications, servers and network

resources. Since it is a cloud service, there is no hardware or software to install

and maintain. The service includes pre-defined reports, so it is well-suited to

businesses that need to generate compliance reports, especially for PCI DSS,

of 36

In this e-guide





the enterprise


analytics software



E-guide

HIPAA, Federal Information Security Management Act (FISMA), Sarbanes-

Oxley Act (SOX), ISO and COBIT. Meanwhile, machine learning algorithms are

used for event detection, eliminating the need for hand crafting rules. And

multidimensional key performance indicators (KPIs) are tracked in the

management dashboard.

Like other cloud services, Sumo Logic pricing is based on the number of users

and volume of data analyzed. Details are available here.

Small and midsize companies that prefer to run their security analytics software

on-premises should consider Blue Coat Security Analytics Platform. It is

available as a virtual machine or pre-configured appliance. Blue Coat's platform

has a modular structure that allows customers to select components they need,

which are delivered as modules known as blades.

Large enterprise use cases

At the other end of the organization-size spectrum are large enterprises that

have to consider scalability, depth and scope of analysis, forensics and

monitoring of a security analytics platform. Low management overhead would

no doubt be appreciated, but that is a secondary consideration. Comprehensive,

high-performance analytics is the priority.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Juniper Networks JSA Series Secure Analytics is available in several models

that scale to global enterprise levels of demand. The JSA 5800 appliance, for

example, is designed for midsize and larger enterprises, while the JSA 7500 is

suited for global enterprises. Smaller enterprises that expect substantial growth

can start with the JSA 3800 or the JSA Virtual Appliance, and grow into the

larger appliances in the future. If an organization opts for the virtual appliance, it

will need a server running VMWare ESX 5.0 or 5.1, 4 CPUs and 12 GB of RAM.

The EMC RSA Security Analytics NetWitness platform comprises two sets of

modules: one providing infrastructure support and the other providing analytics

services. Modules are deployed in varying configurations to meet different

traffic-level and analysis requirements.

The RSA Security Analytics Decoder is one of the infrastructure components.

The decoder is a network appliance designed to collect packet and log data in

real time. It includes support for a wide range of log types. Multiple decoders

can be deployed across a network to ensure scalability and availability. The

RSA Security Analytics Concentrator is another infrastructure component that

aggregates data from decoders. Security analysts and administrators use the

RSA Security Analytics Broker/Analytic Server to query data collected by

decoders and aggregated by concentrators.

The RSA Security Analytics distributed platform is well-suited for large

networks. Infrastructure components may be added as network traffic or log

volumes grow. Like other distributed systems, it can be more complicated to

of 36

In this e-guide





the enterprise


analytics software



E-guide

manage and configure, however. Organizations should therefore plan to invest

in sufficient system administration support to monitor and maintain the security

analytics platform.

The analytics components of the RSA platform provide for real-time analysis of

network, log and endpoint data to detect events. An archiver is also available to

store and report on security data collected over time.

Focus on advanced persistent threats

Organization size is just one dimension for categorizing security analytics use

cases. Sometimes it is more appropriate to consider the most important features

an organization expects to use. For example, if a business already has good

endpoint protections and data collection capabilities, it might want to focus on

detecting advanced persistent threats. Security analytics with an emphasis on

scope and depth of analysis and support for forensics are well-suited for this

use case.

Arbor Pravail Security Analytics employs multiple techniques to detect

advanced threats in real time. This security analytics platform uses full-packet

capture to collect large volumes of raw data that help identify the presence of

multiple attack vectors in use against your organization. Network traffic data is

stored and re-analyzed as new data comes in. For example, if a new type of

threat is detected by the vendor's intelligence surveillance, new detection

of 36

In this e-guide





the enterprise


analytics software



E-guide

techniques can be developed and deployed. These techniques can then

analyze old data to determine if an attack is underway.

Some attackers will compromise a network and then cease activity for weeks.

This period of "going dark" may work in the attacker's favor in some cases

where minimal malicious activity is harder to detect than ongoing attacks that

generate recognizable attack patterns. By keeping historical traffic data and

scanning it for signs of previous attack, organizations can mitigate some

advantages attackers gain by going dark for periods of time.

In addition to analyzing historical data, analyzing the flow of traffic is also a key

method for discovering advanced persistent threats. Lancope Stealth Watch

System uses flow records about network events to detect the stages of

advanced attacks. The Lancope system includes a data aggregator that

consolidates disparate data into a single, analyzable source of network and

device event data. A console provides up-to-date data and alerts on significant

events in the course of an advanced attack.

Click Security's Click Commander is well-suited for analyzing the behaviors of

malicious attackers, profiling activities at different stages of the kill chain, and

issuing alerts and other custom notifications. This tool includes visualization

tools to create graphs of activities while providing actor profiles and contextual

data for analyzing events depicted in the graphs.

of 36

In this e-guide





the enterprise


analytics software



E-guide

Focus on forensics

There is some overlap in use cases that focus on advanced persistent threats

and those that focus on forensics. Both the Arbor Pravail Security Analytics and

the Lancope Stealth Watch System are well-suited to forensic-oriented use

cases. In addition, other systems that collect and integrate data and provide

comprehensive query and analysis capabilities can meet the need for forensic

support.

The Blue Coat Security Analytics platform, for example, is well-integrated with

security tools such as firewalls, data loss prevention, intrusion detection

systems/intrusion prevention systems and malware scanners. It is also

integrated with data generating or data delivering devices and tools, such as

those from Dell, HP, McAfee, Palo Alto Networks and Splunk.

Ensemble of security tools and services

For those organizations that need to mix and match existing security controls

with a new security analytics platform, the best product may be one that allows

them to deploy a system that plugs functional gaps in their security system. In

this case, vendors that offer modularized features may be a good fit.

of 36

In this e-guide





the enterprise


analytics software



E-guide

The Blue Coat Security Analytics Platform, for example, allows customers to

integrate different modules, or blades, as needed. The platform's variety of

deployment models -- including both appliances and virtual machines -- enables

customers to deploy a security analytics tool with the right functionality and level

of scalability that is called for.

If security analytics reporting is a top priority, consider Sumo Logic if their

predefined compliance reports fit your needs. EMC RSA Security Analytics

NetWitness should be considered by organizations that need long-term

archiving of their security data.

Conclusions

Security analytics tools address common problems: how to use available data

about events on a company's infrastructure to identify threats and attacks,

analyze the methods of attack, and alert systems administrators and application

owners when malicious activity is in progress. Organizations of any size are

potential targets.

Small businesses might think they are immune to sophisticated hackers, but

they aren't. They may have highly valued customers, such as Global 2000

companies, large government agencies or others that are the ultimate target of

an attacker. Security analytics is not the first line of defense for large or small

organizations, but it is an increasingly important one.

of 36

In this e-guide





the enterprise


analytics software



E-guide

IT professionals responsible for recommending, evaluating and purchasing a

security analytics platform should carefully assess their needs with respect to

existing security controls and applications. If an organization has tools deployed

to meet some security analytics requirements, it might not want to spend more

for duplicate functionality. On the other hand, if there is any area of IT where

redundant functionality is welcome, it is security.

Security analytics tools offer a variety of capabilities. Some, like Sumo Logic's

cloud-based service, are designed for small and midsize companies that want

broad security coverage with minimal overhead.

Larger enterprises will need to limit their consideration to systems that scale to

high volumes of traffic and can collect data from national or global networks.

Offerings from Juniper Networks and EMC RSA fall into this category.

In cases where advanced persistent threat detection and forensics are top

priorities, consider tools that offer real-time analysis of flow network. Some

vendors offer modular components in the security analytic platforms and these

may be especially useful for filling gaps in otherwise broad security coverage.

About the author

Dan Sullivan, M.Sc., is an author, systems architect, and consultant with over

20 years of IT experience with engagements in advanced analytics, systems

architecture, database design, enterprise security and business intelligence. He

of 36

In this e-guide





the enterprise


analytics software



E-guide

has worked in a broad range of industries, including financial services,

manufacturing, pharmaceuticals, software development, government, retail, gas

and oil production, power generation, life sciences, and education. Dan is a

series editor and author with Realtime Publishers, a leading provider of expert,

third-party content for the IT industry. Dan has written extensively about topics

ranging from data warehousing, cloud computing and advanced analytics to

security management, collaboration, and text mining. He has written sixteen

books as well as numerous articles and custom white papers.

e-guide security analysis & analytics tools buyer’s...

Documents