CIOReview
| | JULY 20228CIOReviewIf ever you have been involved in either a breach or an attack in your professional career the first thing you realize is what security analytics may have been able to early detect the attack. As the conspiracy theorists we all are, we believe that this is simply not attainable. In the larger picture you are right as the bad guys do something that we as industry professionals rarely do, they collaborate very well and share information. In order to ensure efficiency and accuracy for the security analytical dashboards and alerts you set up are key indicators of what could be happening and allow for proactive measures to be taken both before, during and while an event is occurring. Now, let's get to why you really want to read this article: What are the steps we can take to make our tools first become better connected and evolve our security analytics and tools from a reactive to a proactive state?First, let's ensure we level set, this methodology requires executive buy in and investment in IT and IS departments. This will require collaboration with your business lines as well to ensure you are addressing the money makers for your enterprise/business. So, the first thing is learning from any issues or attacks and adding this intelligence into our platforms to alert at proper thresholds. I am a big fan of using standard deviations which allow me to baseline traffic on platforms, like a SIEM (Security Information and Event Monitoring), based on a control set of data ranging from hours to months as needed. I would not recommend years as this could take a while as well as the cycles that the device would need to take from normal processing. This gives organizations an early detection capability for network as well as device level events to ensure proper health or in early detection of a DDoS or outage.Another perspective for proper analytics would be to ensure to understand what your providers can do for you. Let's take O365 and Azure. The user contextual information provided as users login from different geographical locales and password guessing is built in UEBA, User and Entity Behavioral Analysis. These are key analytics to set up for your tenant and are relevant as Microsoft has moved its enterprise licensing to O365 in their cloud. Similarly, AWS has very powerful security analytics as well built into their consoles. Shield services will allow for the power of AWS Security team to monitor your workloads and alert you. Guard Duty combines all your Cloud Trail Logs and VPC Flow Logs to allow you to set up your security By Felipe Medina, AVP of Information Security Engineering, BankUnited IN MY OPINIONWHY USE SECURITY ANALYTICS FOR THE ENTERPRISE?
< Page 7 | Page 9 >