Page 77 - Cyber Defense eMagazine October 2023
P. 77
In this article, we’re going to explore the value of unifying multiple analytics streams and explain how it
helps organizations determine their overall security posture and risk. First, what’s the value of unified
analytics?
While each analytics module provides useful information on its own, when unified the value increases
exponentially. If models are separate, security analysts need to put together the results manually to
produce context (much like pieces of a puzzle). For example, a slightly higher than normal number of
login attempts to a particular system via a mobile device may not be a serious risk on its own. But if that
system connected to a known malware site on the last successful attempt, the sequence of events
presents a huge risk. Knowing these two facts requires two completely different set of analytics and data
that must be connected to show the full picture.
Furthermore, having separate analytics is a resource burden. Too many modules produce too much data,
which can overwhelm small teams. And individual pieces of data don’t tell the whole story. For example,
one module might detect someone logging in from a new IP address. But are they working remotely or
has their account been compromised? Limited data like this can send analysts on a wild goose chase,
which takes up time and resources. The organization winds up spending more for subpar protection.
Unified analytics connects outputs from each system to establish context and identify relationships
between them. For example, detecting a new IP address login along with port scanning or unusual lateral
movement would strongly indicate that an account has been compromised. Another example: accessing
a clinical patient record kept in a US data center remotely from an approved laptop is likely acceptable
but accessing it from a Linux server in Guatamala should raise red flags. By unifying this different
telemetry and applying the corresponding analytics teams can assess risk more accurately, better target
a response, be more transparent on the process (and have more confidence in the results), understand
the entire attack more quickly (through a unified console), reduce threat hunting costs, and improve
overall security. But not all solutions make this easy; in a survey conducted at RSA 2023, 42% of
respondents said it took them weeks or longer to add new data sources to their SIEM and nearly half
only chain together endpoint and network analytics.
But unifying analytics modules is only part of the equation. The type of machine learning applied to these
data sources is also crucial to streamlining detection and response. Most of today’s solutions (such as
XDR and SIEM) still use rules-based ML with a predefined set of rules and instructions to look for specific
inputs and produce specific outputs. For example, looking for malware signatures with a file hash either
matching a signature or not. Or analyzing logs while throwing out additional endpoint telemetry gathered
from an EDR solution. This could absolutely slow down a security analyst from identifying a threat. For
example, if a user has uncommon access to a specific application, but this is an accepted outlier condition
it’s important to not throw a false positive. That requires trained ML versus the automatic triggering of a
simple rule.
It’s rarer to find solutions using adaptive ML. These models train on actual data, which allows the system
to learn new rules on its own, discard ones that aren’t working anymore, and ingest unfamiliar or
unstructured data. Adaptive ML also makes it easier to scale as a network grows and can ingest more
types of data, such as badge systems or data from HR software to show who is on vacation, has put in
their two weeks’ notice, or is on a performance improvement plan. It may also save the organization
money depending on how the vendor charges for that data (on the other hand, products that charge by
Cyber Defense eMagazine – October 2023 Edition 77
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
