Effective threat management requires security teams to combine security analytics with the abundance of machine-generated data that is prevalent in most enterprise environments. Tools such as network traffic analysis, endpoint detection, security information and event management (SIEM), and user behavior analytics (UBA) harvest this data and reveal who is doing what in the IT environment and when and how they’re doing it. This mix of data can help uncover unknown threats, but it can also confuse some security operations professionals who are not familiar with it when the data is only partially displayed.
For instance, a network link analysis diagram — or, more simply, a list of network connections — can be very informative because it shows critical data sources, but it can also be overwhelming with its thousands of raw connections and IP addresses. Let’s take a look at some common data sources and explore why security teams really need to combine them all to generate a complete picture for detection, investigation and response.
5 Criteria for Advanced Threat Detection
Security analytics sources and methods can be split into three essential security views: who, where and what.
- Data related to the “who,” often labeled as user and access analytics, provides insights into various identities, related activity, and accessed data or applications. Recently, behavioral monitoring was added to this group to help surface insider threats.
- The second group, “where,” is best derived from endpoint-based analytics. This data reveals activity and changes on a specific system (client, server, virtual machine, etc.).
- You can understand the “what” by using network analytics to monitor which applications, machines and users are active on the network and what data they are accessing where.
Each of these methods offers some advantages from a security operations perspective. Let’s take a deeper look by evaluating five common security operations criteria: deployment, data management, detection, security intelligence for investigation and response.