DrillDown Orchestrating
security technology
To tackle advanced threats in an ever more complex cyber world, agencies must integrate all their security tools, data and processes
BY DAVE McCLURE
The plethora of security analytics tools available to federal agencies has helped improve cyber incident and vulnera- bility prevention, detection, response and recovery. However, significant challenges remain as types of attacks and attack vectors increase. Indeed, agencies are finding they often
need to integrate or “orches- trate” existing analytical tools, processes and data into repeat- able, automated workflows to fully support solid security operations.
Concurrently, architectural challenges abound as cloud services, mobile technology and internet of things devices rapidly generate increasing amounts of data, new system endpoints and network traffic flows. Newer cyber analytics that use machine learning are of primary interest because rule-based or signature-based prevention tools struggle to detect or stop advanced cyber- security threats.
Here are some key obser- vations and lessons learned to date in the cyber analytics area:
1. Security analytics require orchestration. There are a wide range of commer-
cial products and open-source tools that agencies can use to perform ana- lytics, but agencies should not fool themselves. The full value of enterprise security analytics cannot be gained simply by installing hardware or net- work appliances.
Federal agencies are building sys- tems that ingest terabytes of security data, but their analysts can only read triaged data at a few events per minute. Even with fantastic visualization tools, analysts will only be able to mentally process tens of events per minute.
Tools can help pare down the dataset to a smaller size, but analysts also must know what questions to ask for common use cases (e.g., cyberthreats, insider threats, data exfiltra- tion and user account access abuse or misuse). As the say- ing goes, “A fool with a tool is still a fool.”
Moreover, agencies often have several security tools that are deployed in indepen- dent silos, and many of them invoke duplicative capabili- ties from different vendors, sometimes on the same sys- tem. Security analytics will need to connect those silos and automate processes and investigations across those tools until they evolve to the point where they function as a “force multiplier” for better threat detection.
2. Accurate inventories of networks, systems and endpoints are essential.
Security
analytics
tools
• Security incident and event management
• User and entity behavior analytics • Intrusion prevention systems
• Network traffic analysis
• Endpoint protection platforms
• Endpoint detection and response • Data loss prevention
• Data exfiltration analytics
• Identity and access management analytics
Source: Gartner
28
May 2017 FCW.COM