The Importance of IT Security Analytics

The scope of IT security analytics is broad. Threat intelligence if provided in advance will help to prevent any security incidents from occurring. Though complete mitigation of the risks is an impossible task and hence incidents are inevitable which are mostly associated with breach of data. Initially it was believed that IT security analytics was a requisite before, during and after the incident. In the past there were different products in each area, but the boundaries between them are blurring. Blacklists and Whitelists Threat intelligence is the lifeblood of the IT security industry. Common spam emails, malware signatures and fake URLs are included in the blacklists whereas all the applications that the users use for their legitimate purpose are included in the whitelists. IT security suppliers have access to resources at some level. However it is known that intelligence gathered before is never going to stop the unwanted security breaches from occurrence. What can be done when an event has occurred or data have been breached? In such cases the need is to understand the extent of damage.

Applying IT forensic methods like reports for internal investigation or communicating with crime investigators. Examples of such incidents include discovery of unknown malware or disgruntled employees in the company. Guidance released a new version of Encase product called Encase analytics. These analytics collects clues to what has happened on the servers, storage systems and end user devices. Encase analytics is a network based tool where huge volume of data is involved. Encase analytics needs kernel level access across multiple operating systems to inspect registries, system data, memory, hidden data, and so on. Network and security appliance log files are also of use. Guidance makes use of SIEM (security information and event management) tools. The benefits include ready customised reports for certain regulatory regimes like PCIDSS, the UK Data Protection Act and the mooted EU Data Protection Law. Access Data’s Cyber Intelligence and Response Technology (CIRT) provides host and network forensics as well as the trickier-to-address volatile memory, processing data collected from all these areas to provide a comprehensive insight into incidents.

New Capabilities: These new capabilities include improved malware analysis, more automated responses and real time alerts. This is all well beyond historical forensics, moving Access Data from after, to, during, and even some before capability. Access Data relies on SIEM suppliers for some of its intelligence., In the past, SIEM has also typically been an after technology. Most SIEM suppliers come from a log management background, which is the collection and storage of data from network and security system log files for later analysis. To use intelligence from a range of sources in real time in order to identify and mitigate threats as they occur is the crux of IT security. Plenty of measures like running suspicious files in sandboxes, allowing only known good files to run, blocking access to dangerous areas of the web or judicious checking of content in use can be taken. These are all products that help towards broader aspiration of real-time mitigation. Supplementing these with analytics across a wide range of sources during an attack provides more extensive protection.

Some of the examples include:

• Identifying unusual traffic between servers, which can be a characteristic of undetected malware searching data stores

• Matching data egress from a device with access records from a suspicious IP address, user or location

• Preventing non-compliant movement of data that can be done by an ignorant employee

• Linking IT security events with physical security systems

• Detecting unusual access routes The good news is more and more are making use of their ability to process and analyze large volumes of data in real time to better protect IT systems.

But the bad news is that there is no silver bullet and never will be. A range of security technologies will be required to provide state-of-the-art defences and there will be no standing still. Those who would steal your data are moving the goalposts all the time and they will be doing that before, during and after their attacks.


Article Source:

Photo Source: