INSIGHT: When it comes to threat detection and incident response, context matters

INSIGHT: When it comes to threat detection and incident response, context matters

Scott Crane, Director of Product Development, Arbor Networks explains why security analytics are essential for discovering and preventing attacks.

In an environment of unrelenting attacks, network packet capture and security analytics are essential for discovering the attack while it is in progress and to provide the intelligence to minimise the damage done as well as to prevent future attacks.

Chief Security Officers should now be using security analytics tools for threat detection and incident response.

These security analytics tools offer the analyst unprecedented access to data they have always logged and kept, but rarely used.

This also allows security professionals to explore data sets previously deemed too large and complex for everyday use like full packet captures of all network data.

Now we are seeing the emergence of tool sets that can not only deal with the incredible amount of information coming in daily, but can also be used to review older data.

The ability to look quickly into data from the past is gold for a security analyst, to see trends and spot previously missed threats means that these analysts are finally moving from a reactive footing to one of informed preparedness.

This new generation of security analytics tools will undoubtedly make analysts more efficient and accurate in their analysis, but it will also mean that the analyst is reaching conclusions faster, contributing to the operational outcomes of security rather than “after action reporting” on incidents they have detected.

We are now starting to see tools that can assist an analyst in identifying and following a long running and blended threat, where the tactics change and the attacker uses a variety of methods over a long period of time.

However, most organisations don’t know why they need security analytics in the first place.

A year or so ago, the big buzz-term was “big data” and consequently every vendor announced a solution in the information management space, which only confused the market as to what was important and what was just hype.

Security analytics tools don’t actually eliminate the need for a Security Incident and Event Management (SIEM) system.

They still have their place in most organisations, because they do an incredible job in coordinating a massive range of disparate information and events into a single interface that can give a security team a picture of what they face right now.

However, the major concern is that they achieve this at the expense of context and data fidelity.

They simply cannot be used to fully understand everything that has happened during an incident or provide extent and impact, especially if the attacker changes tactics and moves laterally during the attack.

The function of SIEM and Security Analytics will most likely merge in the future, but we are not there yet unfortunately.

Companies that are holding back on adopting Security Analytics either still don’t fully understand the problem that it can solve, or have already made a bet on technology adjacent to this space (for example SIEM) and are still trying to realise the return on the previous spend.

No one wants to spend a considerable amount in a particular area and then find that they missed a large piece of the puzzle, and that they are still not completely covered.

In my view, the key things for organisations to consider when selecting and implementing Security Analytics solutions is that they need to decide if they are trying to understand their data statistically, looking for averages, trends and metrics to establish baselines, or do they want to work in real-time and understand what is happening and has happened during past events to better plan for the future?

Importantly, they really must be certain that their chosen Security Analytics system will scale, not just in terms of storage, but in how the search and query capability scales.

If the solution loses performance as it grows, or as the depth of queries become more complex, it will be of no value for analytics, especially in real-time.

Collecting, storing and processing enough data, but doing it quickly and efficiently enough in order to achieve the results required is essential.

When security professionals are deploying a Security Analytics solution, my number one piece of advice is to start small with modest requirements initially.

Many data science projects fail because the breadth of requirements is so large that it is impossible to find an initial approach that can satisfy all of the requirements.

Ultimately the organisations that are moving beyond SIEM systems and are striving to understanding the extent and impact of attacks through Security Analytics, rather than just the mere presence of those threats are leading the way.

The fact that they have switched their security strategy from reactive to one of informed preparedness will enable them to secure their networks and maintain their online presence.

By Scott Crane, Director of Product Development, Arbor Networks

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags arbor networkssecurity



Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments