Threat Detection
Indications of security threats can easily get lost in the “haystack” of log files and other sources. Security Analytics helps you to find the “needle” in the form of relevant information – and detects correlations which are not seen in manual analysis.
Text: Andreas Heer, Images: iStock by Getty Images, 22
Analysing IT security incidents resembles the proverbial search for a needle in a haystack. Except that in this case, the needle is not in a haystack but in a stack of needles. For example, the log files of network devices – routers, firewalls, computers, proxies and the like – have innumerable entries. Which of them are really relevant to security?
Let’s make the task even harder: you are now no longer searching for a needle in a haystack, but for two identical knitting needles in numerous stacks of needles. A futile endeavour. But this is precisely what is necessary when analysing log files and various other sources: It’s only by correlating incidents from various relevant sources that you can obtain a picture of the effective security threat.
Fortunately, you have some help with your search: namely, a Big Data platform as a basis, and an application called Security Analytics which compiles all the relevant information and detects correlations between individual incidents across the entire data volume. Voilà, there are the two knitting needles we were looking for! And even if you don’t know exactly what you are looking for, anomalies are also detected which may indicate cyber attacks.
This is how Security Analytics helps to detect threats early on and to distinguish real dangers from false alarms. The Security Alert result can be used to initiate further analyses and respond appropriately to the threat. The analysis and corresponding response are typically carried out by a security analyst.
For example: an employee reports a phishing e-mail in his or her inbox. The specialists then look at the Security Analytics dashboard to see which other employees have also received this e-mail. The subject entry in the e-mail server’s log file provides this information.
This alone would not be a reason to give this incident priority. However, two employees have unfortunately clicked on the link in the e-mail. The security specialists have detected this because they browsed the log files of the proxy for the known domain of the phishing e-mail in the Security Analytics platform. Through the stored client IP address, it was easy to find the two computers, and therefore identify the employees. In turn, the records on the DHCP server contributed to this. Thanks to the central data storage on the Big Data platform and the Security Analytics tools, the specialists were able to respond to the incident very quickly and initiate further measures.
Threat detection as in the example above is just one application scenario for Security Analytics. It can be used on different levels. From a technical perspective, Security Analytics supports the detection of cyber attacks and data leakage. Possible threat detection use cases include detection of attacks on terminal devices, suspicious activities when accessing the internet, but also threat recognition by Cloud applications.
In addition, the analysis of different sources can detect company-specific threat scenarios such as this one: Employee S. enters the headquarters in Bern with his badge at 7:53 am. 19 minutes later, the remote desktop environment registers an access by this same employee from the Far East. This triggers an alert from the Security Analytics platform. That’s because it is only the correlation of two pieces of information from the access system and the log files – which are not suspicious in themselves – which points to a possible threat.
This makes Security Analytics an efficient tool for detecting and analysing known and unknown threats and for initiating appropriate steps – so that companies don’t have to hastily cobble together their IT security processes.
Newsletter
Would you like to regularly receive interesting articles and whitepapers on current ICT topics?
More on the topic