Analytics has been a way of life for most of us, more so in the current times. Can we apply it to Cybersecurity? The article by Anubhav Wahie, Regional Leader- Cybersecurity Solutions, Global Security Sales Organisation (GSSO), CISCO, captures the role security analytics plays in the current landscape.
Technology advances in recent times have impacted the way we live, play, learn and work. The ease with which one can pick up a smart phone to “hail a cab”, “order out” or “make a doctor’s appointment” has been transformational.
Another impact of this transformation is an apocalypse of data available for consumption, driven largely by proliferation of devices and applications. “Dark Data” is now a major problem to drive efficient decision making. While technology advancements with AI and ML have come to the rescue, the accuracy of these insights varies.
When we review this transformation from a cybersecurity perspective, the problem takes a different dimension. Encryption has been introduced in networks to ensure data stays protected from prying eyes & is meaningful only for those who are its rightful custodians. However, the flip side is that bad actors hide behind encryption, evading conventional security controls.
Security Analytics can be helpful in such scenarios. However, the accuracy of security analytics is key to its effectiveness.
Inaccurate analytics can defeat the purpose of its existence and increase alert fatigue. This brings up an important consideration.
How does one drive accuracy in analytics?
- Question the outcomes desired from the analysis – What problem will it solve ? Example, what are 5 answers that a threat researcher is looking for which effective analytics can provide
- Define the competency questions or the ground truth! Baselining behaviors is key to identifying anomalies. Having said that, remember, the baseline can change!
- Once you have the ground truth nailed, fingerprint every entity in the network accurately. For example, a printer is a printer, and not a mobile device…
- With accurate fingerprint, behavior categorization for the network entities can be established. Basis this, it becomes easier to identify anomalies – Eg. Printer talking to Public instances!!
- Lastly, the larger the analytical pipeline, higher the fidelity of results.
With the above effective analytics capabilities augmenting their SecOps, Security analysts and responders can improve their visibility beyond detection at the endpoint and workloads, and stay ahead of attacks lurking in their networks.
Needless to mention, endpoint and workload security is critical. However, in the “dark world”, leveraging analytics to catch them (threats) young can bring in early detection & improve reduce fatigue.
Anubhav Wahie, Regional Leader- Cybersecurity Solutions, Global Security Sales Organisation (GSSO), CISCO