Securing the Digital World

Reducing The Noise

Mar 09, 2016 | by Prashant Mishra |

Today, enterprise infrastructures are borderless and are generating more data than ever. Coupled with the fact that more and more breaches are happening every year, it's not a matter of "if we get breached", it's "when we get breached." Organizations not only require a team of skilled security professionals, but also advanced security controls to detect and respond to threats on a network. While SIEM solutions were developed to block and tackle threats, they've failed to detect breaches, as logs alone don't have enough context to alert security analysts. Additionally, these solutions often offer too many false positives, which creates an explosion of alerts which analysts then are lost in. Advanced security solutions, like RSA Security Analytics, have behaviour analytics capabilities which cater to these issues and focus on identifying the malicious behaviour of users and other entities.

Using data science-driven models, these solutions profile users, applications, networks and endpoints in order to detect anomalies. The outcome is actionable intelligence. For example, an alert would pop up if a user is accessing apps that he/she hasn't accessed before. Or if the user is from Canada, but is logging in from Asia.

This approach is different from rule-driven approach in SIEM solutions, which are static in nature.

The use of ‪behaviour analytics helps automatically reduce the noise security analysts must sift through as it considers multiple parameters as well as rich intelligence before flagging an alert. Data science models are built with at least three key target categories, including:

  • User activity
  • System Activity
  • Network Activity

Each of these use cases can have multiple other use cases within each category. For instance, in the case of network activity, there can be various models to determine suspicious communications, data exfiltration detection, fast flux detection, etc.

These models will continue to get better with time. Until then, they need to be supplemented with strong forensics capabilities from both security analyst as well as other security tools.