How analytics bolster SIEM for a better SOC

Sairam Bollapragada Head, Global Delivery Center, Micro Focus Professional Services
Samir Pathak Enterprise Security Delivery Lead, Micro Focus

Security operations teams need appropriate tools and techniques to process and correlate the enormous amount of historical and real-time security data that's sent to them every day. Without such tools, your teams won't be able to get the insights they need to keep your organization's data secure.

That's why security analytics is a critical component in any cyber-defense scheme. By applying expert analytics techniques to substantial amounts of data, your security teams can defend against, and even prevent, the most sophisticated hacker attacks.

Traditional security information and event management (SIEM) systems can't track, monitor, or analyze every attribute of a potential security event efficiently and effectively. That leads to a large number of false positives for security teams to sift through daily, wasting precious time that could be better spent addressing more critical threats.

Here's how analytics empower intelligent SOCs today—and will shape the future of cybersecurity.

Dealing with the deluge

Security analytics makes a SIEM more effective by eliminating false positives. Analytics can automate incident investigation and provide better context for alerts. By filtering out statistical noise, security analytics reduces massive flows of raw security alerts into a manageable number of concise, clearly categorized warnings.

Analytics can eliminate 95% of the false positives produced by some security tools deployed today. You can use analytics to automate as much as 80% of the repetitive, manual tasks that eat security analysts' time every day, freeing them to perform more valuable tasks, according to the IT best-practices group ONUG.

Unlike traditional SIEM software, analytics tools can operate in real time, and you can rank the smaller number of security alerts they produce by severity using a risk model, that you can customize to suit your business's needs. Acting quickly and knowledgeably on security event information is critical for an effective security operations center (SOC).

All this makes obtaining information in real-time even more important, especially since most organizations aren't aware of the tactics adversaries used, and those that are aware almost never react fast enough to avoid becoming prey for attackers.

With the alarming growth in cybersecurity threats across industry verticals, it's more important than ever to strengthen critical infrastructure with intelligent SOCs. To achieve this you need to use new analytics methods, and to have access to more data than ever.

Security analytics plays a vital role by producing dependable, repeatable decisions and discovering unseen or hidden patterns through learnings from historical data. It also brings to bear sophisticated, intelligence-driven tactics for real-time investigation of both known and unknown vulnerabilities, immediate access, evidence visualization, and additional advanced tools and practices that reduce the potential risk of cybersecurity threats. 

An effective foil for threat vectors

The need to catch up with attackers has made using big data security analytics essential. Threat vectors have moved away from attacks that you can easily counter with signature-based tools to polymorphic sorties with point-and-click exploit kits that change their signature with each attack.

Security owners are supposed to build a citadel of security around an enterprise, but hackers have shown that no citadel is immune to their penetration skills.

Only a slight majority of the threat landscape is known, which means nearly half of it is not. One of the biggest disappointments with cybersecurity has been its inability to be as predictive as it needs to be, but security analytics can address that shortcoming.

You can use it to identify cases of data leakage that elude traditional data loss prevention tools by having it watch how data is behaving on your network. With big data tools, security teams can identify threats, as well as a broad range of key business risks. 

Big data analytics can be quite effective in securing an enterprise's data. A survey (PDF) by MeriTalk, a public-private partnership focused on improving outcomes of government IT, found that 84% of US government agencies that use big data say it's been used to successfully foil a cybersecurity attack.

Moreover, 90% saw a decrease in security breaches caused by malware, insider threats, and social engineering as a result of using big data analytics, according to the same survey.

Another analytics benefit: Better collaboration

Security analytics helps security teams and IT professionals collaborate in a centralized data environment—like a SIEM—with diverse sets of data that you can model to minimize and improve overall security.

You can augment that collaboration with AI and machine-learning models that can identify and predict unusual behavior patterns so that teams can react faster to threats than they could with traditional SIEM tools. Teams need time to craft a response to an attack once it's discovered so they can prevent the exfiltration of data. Analytics gives them that time.

Analytics adoption and challenges

The majority of SOCs recognize there is room for improvement with their security analytics initiatives. According to the SANS Institute, almost 56% are "not satisfied" with the maturity of their analytics software using machine learning and AI.

The general barriers preventing adoption include a lack of trained and experienced staff, budget and time constraints, and the technical requirements to integrate cyber-threat intelligence.

For SOCs that want to take advantage of security analytics, the key is to start small and implement where operations already has reached a maturity level.

The future of security analytics

Combining analytics with a SIEM gives your organization the best of two worlds. It allows your enterprise to protect its investment in the SIEM while using analytics to unlock the rich log data stored there.

Analytics can look for behavioral changes across the enterprise that might be indicators of threats. The changes become leads for your organization's cybersecurity team, which can examine the entities associated with the changes in the SIEM to add context to behaviors that security analytics tools have flagged.

Analytics-driven SIEM results in fewer breaches, lower patching costs, and lower compliance costs. 

Going forward, analytics will play a critical role in shaping the future of cybersecurity. It should be a key element in building up cyber resilience and moving your enterprise beyond prevention to true deterrence. Every enterprise will soon include analytics in their cybersecurity strategies, because it's now the best way to stem the rising tide of cyberattacks.

Read more articles about: SecurityInformation Security

More from Information Security