What are cyber analytics?
Cyber analytics involve the use of algorithms, statistical analysis, behavioral analytics, machine learning, and other classes of analysis to solve cybersecurity problems in a way that traditional security controls cannot. Cyber analytics are often compared with indicators of compromise (IoCs), but are distinguished by the use of analysis to detect potential and unknown threats that signature-based IoCs miss.
“We face cyber attacks every day. And Southern Company isn’t alone – attacks are occurring across critical infrastructure. While Southern Company maintains a mature cybersecurity posture, the role of its security leadership is to ensure that the company is always anticipating and planning for the next attempt to compromise its facilities and services. Southern Company invested in its partnership with IronNet to increase its ability to detect Advanced Persistent Threats (APTs), reduce dwell time, and more quickly recover in the event of an attack."
How did cyber analytics evolve?
Cybersecurity always has been a dance between attackers and defenders. In the beginning, defenders used rudimentary signatures such as file hashes and IP addresses to detect malicious activity. But as attackers learned these security controls, they adapted their methods to avoid known signatures and defy detection.
Defenders responded by implementing more flexible techniques such as deep packet inspection and identifying binary sequences within files. Around the same time, cybersecurity controls started using more heuristics in detection and mitigation, giving defenders a better sense of whether detected activity was malicious.
Cyber analytics use anomaly detection and other statistical techniques to identify deviations from past behavior. Powerful new technologies such as machine learning and deep learning boost detection and mitigation capabilities. These techniques enable a much broader array of malicious activity to be addressed and are harder for attackers to subvert. Network Detection and Response solutions leverage the power of cyber analytics to detect cyber threats to networks based on the threat behavior.Learn more about Network Detection and Response
How cyber analytics are applied
Richard Puckett, VP of Security Operations, Strategy and Architecture at Thomson Reuters, shares how the move to a cloud-first strategy requires behavioral analytics to detect evolving threats.
What are the 3 main categories of cyber analytics?
Unsupervised anomaly detection
Anomaly detection is a variety of unsupervised machine learning that aims to identify deviations from past behavior. For organizations, anomalies come in many forms – there are frequent anomalies such as employees going on vacation, and large anomalies such as the COVID-19 pandemic where suddenly the entire workforce is working remotely. Tailoring anomaly detection models to a specific use case allows organizations to find only the anomalies that are relevant for cybersecurity.
Anomaly detection is particularly useful in endpoint and user behavioral analytics. Unsupervised learning algorithms model the normal behavior of endpoints and users, enabling identification of anomalous activity that is likely malicious. This is helpful in identifying unknown threats because the anomaly detection models are not reliant on known examples of attacks.
Supervised modeling is another form of machine learning commonly used in cyber analytics. Whereas a traditional approach to cybersecurity might involve asking a cybersecurity expert for heuristics to identify threats, supervised detection systems use large datasets to learn threat features and characteristics in a principled mathematical approach, enabling organizations to better distinguish between benign and malicious activity.
While a supervised modeling approach allows precise detections of specific types of cyber threats, it does require threat information to be available for model training and can be less effective in cases where threats are unknown. Supervised detection and unsupervised anomaly detection approaches therefore complement each other in forming complete detection coverage for an organization.
In security parlance, the detection outputs of both unsupervised and supervised models are referred to as spot detections. Spot detections provide information around a single unit of analysis, such as a specific authentication action or executable. Spot detections are useful for making predictions, but they don’t tell the whole story. Detection correlations, on the other hand, allow security experts to combine multiple spot detections to form the complete picture of an attack across an enterprise.
Consider this example: if you’re just analyzing an individual firewall rule, you might think a certain activity was blocked for benign reasons. But with correlation analysis, you can see there was a sequence of related activities that started with an anomalous authentication, followed by the transfer of a file to a remote machine and then the execution of a malicious file. Here, the ability to detect a correlation exposes malicious activity you may have otherwise missed.
Collective Defense is a collaborative approach to cybersecurity that extends correlation detection beyond the enterprise. Organizations that participate in a collective defense system can see attack trends or sequences of events across their industry, enabling a more proactive defense.
What are common misconceptions about cyber analytics?
The field of cyber analytics teems with buzzwords and misconceptions. One common misconception is that the complexity of a model determines its effectiveness. This simply isn’t true. What’s true is that model complexity can hide both the interpretability and accuracy of results. As such, it’s important to understand the appropriate application of different modeling approaches and the right application of those techniques to any given problem.
Combining all the tools in your cyber analytics toolbox
When analyzing network traffic, you can have accurate and effective models but it’s all predicated on visibility. In other words, you can’t determine if an executable is malicious if you can’t see it. Advances in things like attacker techniques and in-memory processing make it harder to spot malicious files. Similarly, with endpoint detection, hackers can use executables that are already on a device and otherwise would be benign but use them to do something malicious. This illustrates the need to deploy cyber analytics across the cloud, network, and endpoints.
To learn more:
“Signature-based cybersecurity solutions are unlikely to deliver the requisite performance to detect new attack vectors. In fact, our data shows that 61% of organizations acknowledge that they will not be able to identify critical threats without AI.”
See Capgemini ReportView report
How can you integrate cyber analytics?
Because cyber analytics require data to detect threats, it’s important for solutions to integrate with other cybersecurity products. Cyber analytics integrate well with SIEM and SOAR systems within your Network Detection and Response (NDR) security stack.
Integrating with security information and event management (SIEM) systems gives cyber analytics products context into threat information, events and alerts, painting a more complete picture of enterprise threats.
Integrating with cyber analytics products gives security orchestration, automation, and response (SOAR) systems better information for remediation actions.
What are some of IronNet's cyber analytics?
IronDefense is a Network Detection and Response platform that improves visibility across the threat landscape and amplifies detection efficacy within your network environment, allowing your SOC team to be more efficient and effective with existing cyber defense tools, resources, and analyst capacity. The solution uses advanced network behavioral analysis that leverages proven artificial intelligence and machine learning to defend highly secure networks, allowing the ability to scale up analysis to the largest enterprises.Learn about IronDefense