Today’s world is more interested in analytics and automation. Likewise, Security is more focusing on automating the process of generating network alarms, identifying threats and risks with real-time correlation and behavioral anomaly detection. Security requirement is more of gathering security information from across the organization and analyze it to automate the threat detection, vulnerability identification, risk management, anomaly detection and for forensic analysis.
Let’s see one by one in detail what is covered in Security Intelligence and analytics:
1. Gathering security logs, relevant information from across the organization and having big data analytics capabilities is a must require ingredient. We must be able to capture necessary network traffic, endpoint and user behavioral data, application data, threat intelligence feeds. So we know what’s happening in our environment very well.
2. Gathering unusual user behavior and network anomalies to analyze it for threats and risks. It should track network anomalies and user behavior for any abnormalities and generates alarms. For example, if an internal machine which is not supposed to connect outside the network, is getting connected to a machine on the internet this could be an indication of command and control.
3. Another purpose is risk management. It identifies the possible risks and threats to any organization. We can do risk mitigation/acceptance after identifying the risk at right time.
4. In case of any security incident, this data is used for forensics. We can rebuild the dots and understand the incident. It can be used for legal evidence. Having all the network and user data, we can trace down the incident and find the real culprits or root cause.
5.Threat feeds are constantly updated by a source outside the organization for streams of indicators. Feeds could be exclusively for domains, hashes or malicious IPs. Real-time feeds enable us to protect against known threats in no time.
6.Protecting against zero-days and other vulnerabilities is also another priority focus of Security Intelligence. Every day new vulnerabilities are found out and attackers don’t miss any opportunity to exploit them.
Next-generation security tools can understand machine language and find threats at much faster rates. They constantly get updated for new threat intelligence. First, you should know what is normal in your environment to know evil and do baselining. Check for popular indicators of threat like file size, file hash, malicious IP addresses, and windows executables in strange directories. Some protocols of interest are DNS, NTP, SMB/CIFS, SNMP, and LDAP. They tend to be regular as opposed to protocols like HTTP. Any unusual pattern or behavior should be monitored and taken care.
Also, remember almost 80% of threats are from internal sources and 20% from external. So, it’s very necessary to educate your internal use and provide only required privileges and access.
Capturing such huge data/packets can be a real challenge some time as it includes high cost. The net flow could be one solution to this problem. 80 GB of PCAP can be converted to 300 MB of net flow. After understanding your network, you should be able to answer the following question:
- What do “normal” behaviors look like? What’s abnormal?
- What web servers also act as web clients?
- Which hosts have similar users?
- Which hosts have had significant changes in behavior relative to themselves?
- Which hosts are acting differently from their peers with respect to a particular protocol?
- How many peers does a host have?
- What cliques are present in the network?
Authored By - Pooja Sharma
TCS Cyber Security Practice