Six criteria for procuring security analytics software
Security analytics software can be beneficial to enterprises. Expert Dan Sullivan explains how to select the right product to fit your organization's needs.
Security analytics software analyzes log and event data from applications, endpoint controls and network defenses to assist organizations in improving their security posture. They help enterprises better understand attack methods and system vulnerabilities in order to thwart attacks before they happen, as well as see which systems have been affected if an attack is underway.
Enterprises have a wide range of options available to them when choosing security analytics software or products, which can make the decision confusing for organizations. Different products, for example, emphasize different key characteristics, such as deployment options, range of analysis and cost. The first step to selecting security analytics tools is to understand your organization's priorities.
Obviously, cost is a concern to virtually all enterprises. Other considerations will vary from one organization to another, and may include:
- Deploying security analytics software on virtual machines versus dedicated appliances;
- Expecting volumes of network traffic to grow substantially in the near future;
- Possible weaknesses in compliance practices; and
- The ability to perform root cause analysis and detailed forensic analysis in the event of a breach.
As organizations assess their priorities for security analytics software, it can help to keep in mind several criteria for evaluating it. This article outlines the following features to assist in evaluating the merits of different products:
- Deployment models
- Modularity
- Scope of analysis (types of threats)
- Depth of analysis (network layers)
- Forensic support
- Monitoring, reporting and visualization
Consider the relative importance of each of these features. For example, if an organization's security team feels overwhelmed with data, it must pay particular attention to monitoring, reporting and visualization, as well as scalability. The chosen system will need to ingest potentially large volumes of data (scalability) and then distill it down to a form that conveys key information to security professionals (monitoring, reporting and visualization). However, an organization that already has adequate coverage for some threats may look to emphasize modularity. This will reduce costs by avoiding redundant capabilities within a security infrastructure.
Security analytics software deployment
Security analytics tools are deployed as appliances or virtual machines, or are installed as software on a dedicated server.
Appliances combine hardware and software in a single product. This allows system administrators to add a device to the network, perform necessary configuration and start collecting data. Appliances minimize the system configuration work for customers. Small businesses or IT departments with limited resources may be particularly interested in an appliance. Also, vendors can apply lessons learned and best practices for configuring their systems, enabling more rapid deployments and potentially fewer support calls during installation.
A virtual machine implementation allows customers to utilize existing capacity in a virtualized environment. This may be a good option for small and midsize businesses or remote offices. As the volume of data grows, system administrators can dedicate additional CPU and RAM resources to accommodate additional loads. A virtual machine implementation will entail more administrative overhead than an appliance, but consider that relative to the benefits of using existing hardware.
The installed software option gives system administrators the most flexibility with regards to deploying a security analytics tool. Applications can be installed on dedicated servers or in virtual machine environments. Additionally, containers might be used to standardize a configuration that is deployed to multiple remote offices. Containers can provide some of the advantages of a virtualized environment without the need for a hypervisor, potentially reducing system management overhead.
Modularity
Security analytics software may encompass a wide range of services, from analyzing low-level network traffic to higher-level application protocols. Some enterprises may tailor analytics tools for particular applications, however -- such as email -- and therefore don't need additional email capabilities in a security analytics tool. Large security platforms often offer modular security options for specific areas, such as Web-, email- and file-based threats. The ability to choose only the functionality an organization needs can help control costs, another key evaluation criterion.
Scope of analysis (types of threats)
Threats are constantly evolving. Malware that pushed the envelope of malicious capabilities several years ago is now commonplace and probably readily accessible to a wide range of cybercriminals. Security analytics software requires the ability to analyze multiple types of malicious activity, as well as patterns of combined activities.
Malicious activities can be as simple as probing for open ports on a firewall to sending subtle spear phishing lures to executives. Advanced persistent attacks (APTs) employ multiple techniques to gain access to data, applications and network resources. APTs may start with successfully downloading remote control software from a compromised website. The attacker then moves on to explore the network, infect other vulnerable machines and collect intelligence about users and applications.
Buyers should consider the types of data analyzed by security analytics tools. Can it detect anomalous network traffic from a client device that is probing other devices and collecting network topology information? Can it correlate related events, such as visiting a potentially compromised website and then starting unusual patterns of network communication? Does the security analytics software have capabilities to analyze application logs, server logs and alerts generated by other security devices?
Also consider the need for timely security data. Some vendors maintain global intelligence networks that constantly collect and analyze data about malicious activities. These can act as early warning tools and help identify emerging threats.
Threat analysis is challenging. There will likely be false positives. Organizations with limited security analytics capabilities should carefully evaluate the scope of analytics they can effectively use.
A closely related topic to scope of analysis is depth of analysis.
Depth of analysis (network layers)
The Open Systems Interconnect model of networks describes seven layers of networks, from low-level physical and data link layers to the upper presentation and application layers. Security analytics tools that can collect and analyze data from the data link to the application layers have substantial depth of analysis capabilities.
Application-level analysis is particularly important for detecting malicious activity that escapes detection at lower levels. For example, an injection attack from an unknown IP address might be blocked by servers accepting incoming connections only from known devices. If, however, the injection attack originates from a trusted but compromised device, the lower network level-based controls will not block the attack.
A security analytics tool that analyzes application-layer protocols may be able to identify suspicious activity or malformed communications between servers and trusted devices.
Forensic support
While the goal of security analytics is to prevent breaches, there will be times when enterprise infrastructure is compromised. At that point, it is important to implement an incident response plan, which will require forensic support.
This includes capabilities such as identifying devices involved in a compromise, replaying network traffic to determine how devices and security measures were compromised, and correlating data from multiple sources and across the time span of the attack.
Many of the tools and reporting techniques used in forensic analysis are useful for ongoing monitoring.
Monitoring, reporting and visualization
A key reason to deploy a security analytics software platform is to have a single point of access to security data from across the enterprise. Simply collecting data is not enough: data must be integrated and correlated, events must be identified and assessed, suspicious events must be reported and monitoring tools should filter out inconsequential events.
Analysts need summarized data to understand network and device activity at a high level, but they also require detailed data about suspicious events. These needs are met by the monitoring, reporting and visualization tools of a security analytics platform.
Security analytics software: What to consider
Consider the six key factors when accessing security analytics products: deployment models, modularity, scope of analysis, depth of analysis, forensic support, and monitoring, reporting and visualization.
Companies looking for basic security analytics with minimal overhead should consider appliances and evaluate options based the quality of reporting and ability and appropriate scope. In cases where the ability to learn from breaches is a top concern, carefully consider forensic features. If the security analytics system will be an integral part of day-to-day management, be sure to assess reporting and visualization capabilities.
Some features will likely provide more benefit than others and it is important to understand the relative importance of each of these features to your organization, especially when cost considerations are taken into account.