Security Analytics: More than Just SIEM 2.0

In recent years, the cyber security market saw an explosion of different products aimed at helping enterprises detect and find low and slow, multi-staged attacks meant to exfiltrate valuable data for causing business disruption. With dwell time averaging 86 days by one estimate, and in the worst cases found to be as high as 800 to 1000 days, IT security professionals are searching for better ways to more quickly detect such attacks and limit the damage they can do. Legacy security tools, such as SIEM solutions, attempt to improve detection by correlating alerts from related events, but that requires security analysts to know what events were related and then create rules to look for those related events. This only exacerbates the problem by either generating an overwhelming volume of alerts or requiring systems to be tuned so tightly that they filter out important alerts indicating real threats rather than noise, once again allowing malicious activity to fly under the radar.

Enter security analytics!

This dynamic gave rise over the last several years to a class of products and services Enterprise Management Associates (EMA) calls security analytics. These solutions, which were developed by a new crop of startups, initially took three different approaches: User and Entity Behavioral Analytics (UEBA), Anomaly Detection, and Predictive Analytics. UEBA not only focuses on end users and what their normal business activity is, but also on systems, applications, and processes (hence the use of the word “entity”). The more mature anomaly detection approach, as its name implies, looks for unusual variations in operating behavior using advanced algorithms to automate the process. Predictive analytics not only looks for suspicious behaviors but it also forecasts what the next mostly likely suspicious behavior will be.

The value in such tools is comes from the reduced time and effort required of security analysts to find hidden attacks within their enterprise IT infrastructure by decreasing the volume of meaningless alerts and prioritizing remediation activities around the bigger risks to the enterprise. Productivity improvements can be significant enough to allow organizations to avoid having to hire additional security analysts and to allow existing security professionals to focus on higher-value tasks.

To get a better idea of how well these security analytics products and their suppliers deliver on that promise, earlier this year EMA conducted an evaluation of these products across a common (and fairly large) set of metrics. We invited a wide range of vendors to participate and received a strong response. The results of our comparative analysis resulted in two reports: one focused on security analytics products that primarily gather data for analysis from logs, and another centered on security analytics products that gather network information for analysis. The former Radar for Log-Based Security Analytics was published in April of this year. The latter Radar for Network-Based Security Analytics was just published at the end of July of this year.

Whether based on logs or network telemetry (and often supplemented with additional contextual information and threat intelligence), all of the tools make extensive use of machine learning algorithms and models to establish normal patterns of activity and call out unusual activity. These systems automate much of the manual work involved in threat hunting and bulk data analysis by parsing through a huge volume of disparate and seemingly benign alerts to provide a conclusion with supporting information. They also make use of creative visualizations to help lead operators through investigations. Customers EMA interviewed as part of the research project uniformly lauded the improvement in accuracy delivered by the tools. All found that the time it took their teams to decide whether their organization was at risk from the indicators uncovered was greatly reduced, and that the products gave them better insights and more actionable telemetry.

As these vendors gain momentum in the market, EMA is seeing a merging of the three approaches to security analytics within the same product or platform. UEBA, Anomaly Detection, and Predictive Analytics all complement each other in speeding time to detection by improving accuracy and cutting down on manual investigative tasks. The success of these vendors and the attention they are getting is drawing larger security vendors—including legacy SIEM vendors—into the fray. Some vendors, such as Securonix and LogRhythm, have taken the organic development route, while others like RSA and HPE acquired smaller startups (FortScale and Niara, respectively). EMA expects such consolidation to continue. The strongest and most promising startups are ripe for acquisition, while the shakeout will ultimately cause the weaker ones to fail.