It kind of goes without saying that early detection is one of the foundations of cybersecurity defense. The firewalls, VPN concentrators, and other edge defenses that make up your perimeter are the first line of defense to keep the bad guys out. But we know from experience that the bad guys find their way in one way or another. Whether it’s a hidden flaw in a public facing application, or something left exposed by a misconfiguration, or a user falling for a carefully crafted phishing email or social engineering scheme, the bad guys keep getting in through our perimeter defenses. This is where SIEM Advanced Threat Detection comes in.
Early detection on the inside is so important. The earlier we know the bad guys are there, the faster we can react and do something about it. That’s why we have a whole slate of tools to do network traffic analysis, endpoint detection and analysis, anti-virus and anti-malware applications, email filters, access controls, and everything else.
Lots of Tools
Each of these separate tools can detect specific sorts of threat. Email tools can recognize and filter out common scams and phishing attacks and strip off a decent range of malicious attachments. (How many messages from Nigerian princes are in your junk mail folder?) Endpoint tools can often recognize when malware is mucking up the works and frequently put a stop to it before it gets out of hand. Digital Loss Prevention tools can stop bad guys from exfiltrating data. And network monitoring tools can identify and block suspicious traffic to and from known, and sometimes even suspected, addresses in the wild.
Together these tools roll into impressive effectiveness numbers against common threats. Which is great. Until you remember the sheer volume of threats out there and the fact that it only takes one missed event for the bad guys to slip in and get to work.
Like it’s said: The good guys need to be right every time. The bad guys need to be right only once.
Lots of Threats
Which brings us back to SIEM Advanced Threat Detection. We have a whole stack of threat detection tools and, if we’ve been staying on top of Best Practices, we have a SIEM that can aggregate the output from all those tools into a single display that helps us make sense of all the data that’s coming in. If we’re really on top of the Best Practices, we have an analytics system that can sort through all that data for us and highlight the important parts. We don’t want to waste time chasing false positives or lose time because we didn’t see the most important event in the scroll.
AI-Based Behavior Analytics is a major part of SIEM Advanced Threat Detection. Not because it finds things on its own, but because it can tease out the connections that other individual components have seen: Suspicious traffic from one host to a server outside the environment. Unusual logins at odd times from odd places. Strange spikes in CPU load on an isolated system. An email chain with a user in a dicey domain. Each one of these events is notable on its own, but maybe not enough to set off an alert. But when taken in context, they point to a security breach in progress.
That’s where security analytics brings it all together and helps the SecOps team detect threats they might have otherwise missed. Add in some smart Security Orchestration, Automation, and Response, and you’ll have a much better time parsing out those subtle attacks and responding to them just as quickly.
Watch the Webinar
Want to know more? Check out our presentation on SIEM Advanced Threat Detection to see how a modern Security Analytics platform can deliver more effective threat detection. We’ll talk about:
- Model Driven Security
- Open Analytics vs. Black Box Analytics
- Linked Context vs. Siloed Context
- Risk Prioritized Alerts
- Automated Intelligent Threat Hunting
- Incident Timeline, Visualizations, and Reporting
- Historical Real-Time Analysis vs. Short Term Analysis