1
June 2016
Close the Detection Deficit with Security Analytics
1605113
INSIDE
The Unseen Threat
Page 2
Dealing with the Data Deluge
Page 8
Using Security Analytics to Reduce Time on Target
Page 12
SPONSORED BY
2
The Unseen
N ew analytics tools and services are helping organizations
extract exceptional business value from the massive volumes of
available data provided by various internal and external sources.
Many companies are harnessing these insights to improve operational
and business processes, troubleshoot problems, identify business
opportunities, and generally compete and innovate better.
Now the benefits of analytics in those areas are prompting companies to
look to analytics to improve information security.
Enterprise security organizations are under tremendous pressure to
change. Traditional perimeter-focused security controls and strategies have
proved inadequate against modern, highly targeted attack campaigns.
THREAT
3
Worse, they have done little to enable the
visibility needed to detect and respond to
breaches and security incidents in a timely
fashion. Exacerbating the problem is the
exploding use of mobile, cloud, and software
as a service (SaaS), which together have
combined to greatly increase the attack surface
for threat actors.
Not surprisingly, companies that suffer a
data breach these days often don’t discover
it until much later. Verizon’s 2016 Data Breach
Investigations Report showed an increasing
“detection deficit” between a breach and
how long it takes for an organization to
discover the breach.1 In all of the cases
Verizon investigated in 2015, the time to
compromise was “days or less.” However,
in only about a quarter of the cases did
the compromised organization discover
a breach in that same time frame. Verizon
also saw a dramatic decline in the number
of compromises detected internally in 2015
and a corresponding increase in the number
of breaches detected as a result of fraud
occurring with the breached data.
Compliance obligations, business
requirements, and liability concerns also are
requiring security organizations to take a far
more strategic role in the enterprise. Once just
a tactical, firefighting operation, the security
function is increasingly being asked to enable
strategic business change.
Many believe that security analytics can
drive this transformation by helping companies
capture, harness, and leverage data better.
Here is a closer look at why such capabilities
are becoming increasingly crucial to
enterprise security.
The Security Implications of Technological Advance Cloud, mobile computing technologies, and
the growing interconnectedness of business
networks have all but obliterated the tradi-
tional enterprise perimeter. For many orga-
nizations, the network edge has become a
vast collection of touch points with partners,
suppliers, vendors, and customers.
The trend has exacerbated the enterprise
security challenge. From having to protect
a clearly defined network edge and a finite
set of computing resources, security groups
must now deal with a mind-numbing
combination of corporate-owned, personally
owned, and partially managed PCs, laptops,
and mobile devices. Assets that need to be
protected can be located on-premises or
hosted in a public cloud, private cloud, or a
hybrid environment on cloud servers that
may or may not be hosted domestically.
The Unseen Threat
The time to compromise is almost always days or less, if not
minutes or less. — Verizon 2016 Data Breach
Investigations Report
4
In addition, business groups are increasingly
using SaaS delivery options and cloud
collaboration services without IT’s approval,
creating a huge shadow IT problem with
major security implications. The Cloud
Security Alliance estimates that a staggering
35% of all enterprise applications in use today
have not been specified or deployed by IT.2
On top of all of these problems, the controls
businesses have put in place to protect the vast
attack surface are generating a huge volume
of data that’s threatening to drown IT security
organizations. Enterprises that have invested in
sophisticated security tools to protect critical
data assets are often failing to realize the full
benefits of those tools because of the data
deluge. More than two years after the late
2013 intrusion at Target, the retailer remains a
dramatic example of what can happen when
there’s too much data. In its analysis of the
Target breach, the website Dark Reading notes
that the retailer’s intrusion-detection systems
alerted administrators to a potential breach
early on, but Target failed to act because the
alerts were buried under a vast amount of
other log data.3
Target is by no means alone. Administrators
at Neiman Marcus, another big retailer that
suffered a breach around the same time as
Target, missed a reported 60,000 alerts triggered
by hackers stealing credit and debit card data
from its network.4 And Scottrade was unaware
of a prior data breach impacting approximately
4.6 million customers until the FBI notified the
discount brokerage of the compromise in 2015.5
Many enterprises routinely collect terabytes, and
sometimes even petabytes, of data related to
network, application, and transaction events for
everything from forensic analysis to regulatory
compliance. Security analytics can play a critical
role in helping organizations analyze these large,
often disparate data sets and to discern hidden
patterns and correlations in them. It can help
security teams zero in on events and patterns
of behavior that may indicate malicious activity
with the enterprise network.
A Morphing Threat Landscape Enterprises today face a more diverse range of
threats than ever before. For one thing, there
is little that is opportunistic or accidental
The Unseen Threat
5
about many of the attacks that organizations
need to defend against. Instead, they are
highly targeted, persistent, and carried out by
attackers with a specific goal in mind.
Data theft and financially motivated attacks
are not the only threats that businesses
must guard against. Digital espionage,6
intellectual property theft,7 and sabotage
by well-organized, well-funded nation-state
groups are major concerns as well. The late
2014 attack on Sony Pictures — allegedly
sponsored by North Korea — resulted in
terabytes of intellectual property and sensitive
data being exposed.8 A late 2015 attack on
Ukraine’s power grid, with apparent ties to
Russia, caused a wide power outage.9 These
politically motivated attacks are examples
of the destructive nature of modern
cyberthreats.
But the threats don’t stop with advanced
persistent threats. Other serious threats
include denial-of-service attacks, ransomware,
phishing and business email compromise
campaigns, malicious insiders, and yes,
opportunistic attacks as well. In many
cases, the little markers and signatures that
accompany each of these threats are easy to
miss unless an organization knows how and
where to look for them.
One of the most vexing characteristics of
modern attacks is the emphasis on stealth and
persistence. Unlike mass attacks in the past,
which were noisy and short-lived, many attack
campaigns these days can persist silently for
months and sometimes even years. Attackers
who gain access to a network go to great lengths
to burrow deep into the enterprise and conceal
their presence to the greatest degree possible.
Defending against such threats requires
a different set of tools and skills — and a
different mindset — than defending against
mass, nontargeted attacks. Threat intelligence,
threat information sharing, and indicators
of compromise have become as critical to
enterprise security as continuous monitoring
and internal controls.
In order to enable a robust situational
awareness capability, enterprises these days
must be able to seamlessly meld external
threat intelligence data with internal data and
continuously analyze the combined data set.
Security analytics tools can play a key role in
delivering this capability.
Business ImperativesMobile technologies, cloud computing,
and SaaS delivery models have given
The Unseen Threat
35% of all enterprise applications in use today have not been specified or deployed by IT.
— Cloud Security Alliance
6
business groups a way to quickly address
their software and service requirements
without waiting around for IT to develop it
for them.
A 2015 Cloud Security Alliance report
highlights the growing security challenges
to organizations posed by the employee-
led adoption of cloud technologies,
many designed for consumer use, within
enterprises.10 Workgroups and even
individual employees have been subscribing
to cloud services in rapidly growing
numbers, with or without IT’s blessing,
typically for services like cloud collaboration,
customer relationship management, and
storage. The shadow-IT trend has elevated
concerns about issues such as inadvertent
data exposure, unauthorized access, and
compliance issues.
The risks don’t stop there. The trend by
business units to go their own way has put
growing pressure on IT to respond faster to
business unit requirements. The resulting
rush to release products is causing many
development teams to push applications
out before they have been properly validated
for security.
In order to manage the shadow IT risk,
businesses must have detailed visibility
into the extent of cloud application use
within their enterprises. They need to
implement policies for extending their
data governance practices to the cloud
and be sure employees comply with those
policies.
The Rigors of Regulatory ComplianceOrganizations are under growing pressure
to comply with best practices and regula-
tions. But many of the metrics used to mea-
sure and report on the effectiveness of a
security program don’t reflect the true secu-
rity status of the organization. Instead they
The Unseen ThreatThe Limitations of Intrusion-Centric Security
• Signature-based tools are ineffective against zero-day threats and multistage attacks.
• There’s not enough emphasis on detection and response.
• The focus is on forensics and after-the-fact response rather than pre-emptive action.
• These tools offer limited visibility of threat status.
• They provide limited compliance reporting data.
7
merely report activities, like how
many attacks an intrusion-detection
system may have blocked rather
than whether it reduced risk.
Security analytics technologies
can, by design, capture and analyze
event data related to applications,
communications, sessions,
transactions, and other activities.
They give enterprises better visibility
into their security postures and
allow them to gather key metrics for
executive reporting and compliance
purposes.
As ISACA — the independent
global association of information
systems, audit, and control
professionals — notes, integrating
security analytics into enterprise
governance, risk, and compliance
(GRC) programs can yield rich
dividends.11 Analytics lets security
and business teams build a
common language and framework
around risk, ISACA says. It helps
organizations set a baseline for
their security posture, model
risk appetites and scenarios, and
understand how security is helping
to improve or enable business
processes. Analytics lets enterprises
use security event data to create key
performance indicators rather than
just metrics, ISACA says.
A well-designed security analytics
program that is integrated with
enterprise GRC processes provides the
insights that help enterprises under-
stand and report on the effectiveness
of their security controls. p
The Unseen Threat
8
O ver the years, log data collected from firewalls,
intrusion-detection and -prevention systems, anti-
malware tools, access control products, network
routers, and other security technologies has played a useful
role in helping organizations deal with critical security issues.
When fed through log management tools, such data has
helped organizations identify everything from suspicious
login attempts and port scans to denial-of-service attacks,
policy violations, and, of course, malware attacks.
Dealing with the
Data Deluge
9
But as useful as all this has been, it is no
longer enough. In order to enable a true enter-
prise-wide situational-awareness capability, or-
ganizations must be able to collect, aggregate,
and analyze data from a lot more sources, both
internal and external, and do it in real time.
The following challenges must be overcome
in order to achieve this capability:
Overabundance of Data Data from mobile devices, cloud services, web
applications, social media, Active Directory
files, SQL server logs, location tracking systems,
business and transaction systems, and myriad
other sources can provide vital clues about an
organization’s security status.
A lot of this data is already available, and
plenty of tools exist to gather it. The challenge
is the sheer volume. A typical Fortune 500
company, for instance, may generate billions of
unique network activity events per day.
Enterprises need to be able to cut through
the noise. But collecting, aggregating, and
extracting value from this huge volume of
data is beyond the capabilities of current
security tools.
Limitations of Current Analytics TechnologiesSecurity information and event management
(SIEM) tools and log event management prod-
ucts have, to a certain extent, helped organiza-
tions gain some visibility into the security of
their environment. But such tools have their
limitations. SIEM systems were designed to
capture security event data for correlation
and analysis from perimeter devices. Though
they have evolved considerably over the years,
SIEM tools are not really optimized to handle
the sheer volume of highly heterogeneous
data that the increasingly complex and diverse
systems on the enterprise network are gener-
ating. The correlation engines built into SIEM
products are somewhat limited in their ability
to detect problems associated with previously
unknown or unexpected behavior.
Dealing with the Data Deluge
10
With rules-based SIEM systems, a lot
depends on the quality of the rules that are
used to establish the relationship between
security events and network incidents. Rules
that are too tight can result in too many
alerts being generated. Rules that aren’t tight
can enough result in critical security events
being missed.
Additionally, the sheer volume of data such
systems generate can make it extremely
difficult for security teams to get through
enough alerts to spot threats in a timely
fashion. While this is not necessarily a
limitation of SIEM itself, organizations are
often unable to derive full value from these
systems because of their inability to get
through the data.
The data that most organizations capture
and store in vast data lakes these days is
good for identifying issues that have already
happened. But it has little effect in terms of
moving analytics to earlier in the security
kill chain.
Lack of Network Visibility In order to be able to accurately detect and
respond to risks, organizations must have a
continuous awareness of all that’s going on in
their networks. They need to be able to enrich
that data with reliable threat intelligence and
contextual information such as asset type and
business function or activity in order to quickly
detect variations from normal behavior. Doing
all this in a large enterprise with its myriad en-
try points, huge attack surface, and complex
threats can be extremely challenging.
Inadequate Analytics Across the Cyber Kill ChainIn recent years, some security vendors and
analysts have encouraged enterprises to look
at security from the standpoint of a cyber kill
chain. The argument is that almost all attacks
consist of seven basic phases and by mount-
ing defenses that are specific to each phase,
companies can deal with threats more ef-
fectively. The cyber kill chain as described
Dealing with the Data DelugeThe Analytics Advantage
Security analytics can enable greater visibility into indicators of compromise, such as:
• Phishing in mail logs, usage trends, and correlation capabilities
• Slow data exfiltration in proxy/firewall logs, looking at the number of bytes and sessions over time
• HTTP-based malware command and control channels in web proxy logs12
11
Dealing with the Data Deluge
by Lockheed Martin, one of the model’s early
proponents, has seven phases: reconnaissance,
weaponization, delivery, exploitation, instal-
lation, command and control, and actions on
objectives.13
Many security analysts believe that
targeted attacks almost always begin with
a reconnaissance phase during which attackers
explore potential weak spots in a target
network. By detecting the scans and probes that
are characteristic of this phase, enterprises can
gain visibility into what the adversaries are after
and therefore block them more effectively.
The weaponization phase, as defined by
Lockheed and others, is when attackers choose
or develop the malware needed to exploit any
weaknesses they may have discovered during
the reconnaissance phase. The defense goal
here is to try to infer what the attackers might
choose based on previous artifacts.
The delivery and exploitation stages are
when attackers attempt to break in to the
target network by delivering and exploiting
the malware they have chosen. A key measure
of the effectiveness of security controls during
these phases is the number of intrusion
attempts that are successfully blocked,
according to Lockheed.
Defense efforts during the malware
installation phase are focused on malware
analysis and gathering indicators of
compromise so organizations can develop
better endpoint mitigations.
Lockheed defines the command and control
stage as the phase of an attack when malware
has been successfully installed on a network
and it attempts to communicate with a remote
command and control server. The defense
goal at this stage is to detect and block such
communication so adversaries cannot instruct
the malware to cause more damage.
The end stage of the cyber kill chain is when
threat actors begin to start taking action on
their objectives. The action could range from
data theft and financially motivated actions
to espionage, surveillance, and sabotage.
Security analysts believe that analytics can play
a critical role in this stage by giving defenders
information on what a particular adversary
might be after.
The effectiveness of a cyber kill chain-
oriented defense model depends to a large
extent on an organization’s ability to capture,
aggregate, and analyze data from each of the
seven phases. By integrating analytics tool sets
and strategies into the cyber kill chain model,
businesses can get insight across endpoints,
host systems, networks, and applications that
is needed for quicker threat detection and
incident response. p
12
R educing the length of time that an attacker spends
undetected on a network is critical. Experience from previous
mega-breaches has shown that the longer an adversary remains
undetected on the network, the greater its ability to do harm.
By collecting, correlating, and analyzing data from endpoints,
security systems, and network events, organizations can enhance
their threat detection and mitigation capabilities. But the sheer
volume and diversity of data involved pose enormous challenges,
especially for large enterprises.
Using Security Analytics to
Time on TargetREDUCE
13
Organizations must be able to collect and correlate
data from multiple sources, separate relevant data
from irrelevant, and apply context to the data in order
to derive meaningful value from their analyses. They
need to be able to do this with the data constantly
generated by the network as well as data stored in
log files and archives. And the faster enterprises can
do this, the better their ability to detect and mitigate
threats in an expeditious fashion.
Increasingly, concepts such as risk-based analysis,
context-based security, behavioral analytics, and
activity monitoring have all become critical to
enterprise security. Analytics-driven triage has become
vital to focusing security team efforts with its accurate
and prioritized short list of suspicious devices and
entities that must be investigated.
Fortunately, technologies like event stream
processing tools, Hadoop, in-memory analytics, and
visual analytics have let organizations do this sort of
analysis in a nonsecurity context for years. Retailers, for
example, have been harnessing data gathered from
websites, transactions, social media, and other sources
to predict trends, forecast demand, and streamline
operations. In the pharmaceutical industry, big data
Using Security Analytics to Reduce Time on Target 5 Essential Characteristics of a Security Analytics Solution
Security analytics technologies offer a wide range of capabilities and functions, and product specifics can vary by vendor. But there are some essential characteristics that any security analytics solution and vendor you consider absolutely must have. Here are the five important ones:
1 Analytical engines: To assess potential threats in the network, the solution
must go beyond rules, signatures, and other traditional statistical measures. It should combine a variety of analysis engines, such as data mining, advanced statistical analysis techniques, supervised machine learning, and unsupervised machine learning.
2 Data fusion: The solution should leverage a variety of internal and
external data sources in conjunction with network traffic flows. These sources — such as business context, existing security product alerts, and threat feeds — enrich network data to ultimately provide a smarter view into normal and abnormal behavior.
3 Speed at scale: Pick a solution that can easily process your network traffic
volume and deliver timely results. It should continue delivering the processing power and analytics performance as network data and data sources expand.
4 Value to security analysts and executives: The best solution will
help your organization reduce the time to security insight. It should give your analysts an understanding of alerts, behaviors, and potential threats, and your executives an understanding of the organization’s overall security posture.
5 Vendor longevity and analytics experience: The market is full of
security analytics vendors, so it’s important to ask questions and choose wisely. How long has the company been in business? What is its analytics track record? Did it develop or acquire its analytic capabilities? Answering these questions can help you identify a solution that will continue to be developed and supported going forward.
14
analytics is playing an increasing role in
predictive modeling of drugs and clinical
trials. In financial services, these approaches
have been used to identify and reduce fraud.
By applying these big data technologies to
the security context, security analytics can
help organizations gain greater awareness
of network threats and reduce the time to
detect them.
Reducing Time on TargetThe sheer breadth of the attack surface and
the growing sophistication of the threat
landscape have made it all but impossible
for organizations to stop threat actors
from conducting reconnaissance on their
networks. Increasingly, it has become hard
to prevent the persistent hacker from finding
an entry point into the network, regardless of
how well protected the perimeter might be.
Security analytics can help businesses
reduce time on target. By providing visibility
into normal and abnormal network behavior,
security analytics makes it easier to spot
deviations caused by unexpected and
malicious activity.
What security analytics does is make
it much harder for criminals to operate
unnoticed within the network. It operates
on the assumption that criminals have
already breached the network and serves
as an alarm to warn of their presence.
Because malicious activity involves a
deviation from normal network behavior,
security analytics tools make it all but
impossible for attackers to conceal their
presence on the enterprise network. p
Using Security Analytics to Reduce Time on Target
1. “2016 Data Breach Investigations Report.” Verizon. 2016.2. Holdgrafer, Rachel. “Managing Shadow IT.” Cloud Security Alliance. Oct. 14, 2015.3. Schwartz, Mathew J. “Target Ignored Data Breach Alarms.” Dark Reading. UBM. March 14, 2014.4. Elgin, Benjamin, Dune Lawrence, and Michael Riley. “Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data.” Bloomberg. Feb. 24, 2014.5. “Scottrade Breach Hit 4.6 Million Customers, Began 2 Years Ago.” Dark Reading. UBM. Oct. 2, 2015.6. Dunham, Ken. “Troubling Trends of Espionage.” ISSA Journal. ISSA. March 2015. 7. “Valuable Intellectual Property Targeted by Cyber Attacks.” Security News Desk. Oct. 14, 2015.8. Cieply, Michael and Brooks Barnes. “Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm.” The New York Times. Dec. 30, 2014.9. Jackson-Higgins, Kelly. “Lessons from the Ukraine Electric Grid Hack.” Dark Reading. UBM. March 18, 2016.10. “Cloud Adoption Practices & Priorities Survey Report.” Cloud Security Alliance. January 2015.11. Delmar, Yo. “Integrating Security Analytics Into GRC Programs.” ISACA Journal. 2014.12. Shackleford, Dave. “Using Analytics to Predict Future Attacks and Breaches.” SANS. Sponsored by SAS. January 2016. 13. “The Cyber Kill Chain.” Lockheed Martin.
15
About SASSAS pioneered the use of analytics to solve complex business problems 40 years ago.
Today, our industry-leading big data analytics and experience in real-time decision making
can help you anticipate and mitigate cyberevents to avoid financial loss. With SAS®
Cybersecurity, you can counter cyberattacks with your information advantage to reduce
uncertainty and identify attackers in your network before their next move.
Learn why SAS Cybersecurity is your essential layer of cyberdefense at sas.com/cybersecurity.
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. 108280_G25635.0616