There are glaring holes in how enterprises currently tackle security analytics, and by redefining the approach, the analyst’s role can be transformed. Rani Hmayssi, Regional Manager Google Cloud Middle East explains how.
1What are the top challenges organizations face to achieve effective threat detection and producing proactive security measures?
When it comes to proactive threat detection, the top challenges we see organizations face pertain to scale, cost, speed, and productivity.
Accurate threat detection takes place when security teams are able to collect and store as much security telemetry as possible. Full detection requires full visibility. The current solutions for threat detection make it cost-prohibitive to keep all the necessary security telemetry, which adds time to the security investigation process and can cause threats to go undetected.
At the end of the day, the security landscape has changed. Security systems are easily generating petabytes of data, so it’s important to have the right tools that can accommodate this volume and then help deliver accurate detection.
With all your security data on hand, security teams can also perform proactive threat hunting and take advantage of simpler, but more powerful analytics constructs like YARA-L, Chronicle’s new rules engine syntax. These techniques enable and empower tier 1 SOC analysts to increase their productivity and perform better incident response.
2Amid the COVID-19 lockdown, there has been a surge in potential cyberattacks such as email phishing, VPN-based attacks, enterprise network attacks, and other threat vectors. What should companies do to get ahead of the attack curve and how is security analytics changing the game?
We definitely emphasize with our customers when it comes to new security risks associated with COVID-19. There has been a surge of phishing attacks targeting employees and threat actors looking to compromise VPN systems.
Security analytics can help enterprises get ahead of this attack curve by making it easy to understand the scope of a phishing attack. Phishing campaigns, for example, use numerous variants such as malicious domains, URLs, and files that need to be quickly identified.
Using a security analytics platform, you can see the enterprise-wide prevalence of any indicator of compromise in a suspected phishing email. For example, if an email contains a link, you can search Chronicle for that link to find any and all network connections to it. If the email contains an attachment, you can search Chronicle for all occurrences of that file. From there, you have the ability to rapidly or automatically delete known and confirmed phishing emails or reset account credentials for phished users.
3What are your customers’ main objectives when it comes to security analytics and operations?
The main objectives for implementing a security analytics platform are SOC productivity, efficacy of threat detection, and economics. In the current climate, enterprises are looking to get more out of their security budget and the ability to do more with their technology. Security analytics allow business to cut costs associated with storing security data and give analysts the power to efficiently perform investigations by having all security information in one place. New and more powerful threat detection frameworks like YARA-L also enable detection of a broader range of threats in a more efficient manner.
In addition to cost savings, there is a growing need to cut down on caseloads and increase time to detection and time to remediation. With the correlation provided by security analytics, analysts have broader threat coverage across the enterprise, including the ability to detect threats that operate low and slow.
4Technologies that monitor cyberattacks generate a high volume of alerts from different systems that can’t all be analyzed. Is there a way to prioritize the high-risk alerts?
We definitely see security teams suffer from alert fatigue and determining whether an alert needs to be escalated or marked as a false positive can be a time-consuming task. Using security analytics, investigation teams can come to conclusions faster by providing the right context to help understand severity and determine action steps.
With a platform like Chronicle, you can perform retroactive threat intelligence scanning which looks at all incoming indicators of compromise and map it to your data automatically. As soon as a new domain, URL, IP or hash is reported by a threat intelligence feed, Chronicle searches through one year of historical logs to see if your organization is impacted and will also look for these indicators in the future.
Chronicle also provides context for an alert across three dimensions: the user, your enterprise assets, and the severity of the threat. By having all the context you can quickly answer questions like:
- What other suspicious behavior has been seen on a particular device?
- Are there any new unauthorized domains or connections present in the network?
- Does activity tied to a specific user suggest anomalous behavior, such as compromised credentials?
5The last couple of years have shown security professionals slowly shifting to cloud-based security analytics. What drives that change and what are your predictions for the next couple of years?
The big shift we’re seeing is that security analytics has become a big data problem. Today, even mid-sized organizations may generate petabytes of security telemetry. Security teams, however, aren’t in the business of managing big data and the underlying infrastructure required to keep up with these volumes. On top of this, budgets have largely shifted from capex to opex, which means budgets won’t be spent on more hardware to support security telemetry. CISOs want their staff to perform security operations, not infrastructure management, which is why it makes sense to invest in SaaS-based security analytics with unlimited data storage.
For the next couple of years, we predict that the use of cloud-based security technology is going to change the game. For example, the capacity of the cloud to help bring shared intelligence to enterprises is super powerful. We see the opportunity for sharing intelligence at both geographical and vertical levels. Imagine seeing increased attacks on organizations in a certain country in Europe, or a new phishing attack targeting banks and then being able to anonymize these threat signals to help ensure all our customers are protected.
Download your copy of Redefining Security Analytics to learn how to investigate and hunt at the speed of search here.
Follow us on Twitter: @GoogleCloud_ME
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.