In order to improve their network security, how can companies with fewer resources take advantage of security analytics?
Today's organizations are under constant pressure to do more with less. Nowhere is this more apparent than in the area of information security. Industry experts recommend reducing the time from detecting a high severity intrusion to containing or remediating to one hour or less -- a lofty goal even for experienced and well-funded teams.
At the same time, smaller and cost-conscious organizations rarely have the luxury of dedicated information security teams, and even those that can afford one face difficulty finding skilled security professionals to fill the roles. The challenges for small security teams don't stop there. The modern threat landscape includes advanced attacks that easily bypass traditional security controls like antivirus software, Layer-4 firewalls and Secure Sockets Layer.
There are certainly many tools and techniques that security teams can bring to bear to reduce the risk of damage due to network security incidents. For example, one resource is the Critical Security Controls for Effective Cyber Defense. Yet, while an inspired application of network security basics is necessary, it may not be sufficient to reduce risk to acceptable levels in many organizations.
Looking forward, security professionals will require tools that can give them immediate insight into the activity on their networks. Simple tabulation of events and static numeric thresholds will not be enough to both detect attacks and keep false positive rates at acceptable levels.
Instead, more advanced analytics that establish a baseline of activity and provide alerts on true outliers are required. This capability, often referred to as security analytics, will be the key that enables organizations to detect and respond to advanced attacks. In smaller organizations, security analytics will play a crucial role as a force multiplier to address resource constraints.
As security analytics becomes mainstream, it follows that mobile platforms such as smartphones and tablets will become the delivery mechanism for security alerts and reports. While receiving security alerts on smartphones is nothing new, security analytics capabilities will likely expand to allow security professionals to explore data and perform more advanced analytics directly on the device. Obviously, security of such a system will be paramount, requiring device and connections encryption, strong authentication/authorization and remote-wipe capabilities. These requirements are not easy to address, but the benefits of mobile security analytics will likely outweigh the costs of implementation.
While mobile security analytics capabilities are not widely available today, promising commercial products from vendors such as Splunk Inc., and its Everywhere app, are beginning to appear. Open source software from organizations like as Elasticsearch ELK Stack is another emerging option.
About the author:
Dave Herrald is a solutions architect specializing in information security at Denver-based Global Technology Resources Inc.