How to select the right security tool for your business
Why do companies need security analytics tools?
There’s a great deal of data that enterprises need to manage - logs, security alerts, threat intelligence… the list is endless. It seems impossible for SOC analysts to get a complete and accurate view of the vulnerabilities and threats faced by the organization for there’s simply too much information out there that’s susceptible to risk.
And yet, instead of focusing on identifying threats and prioritizing response efforts, teams are scrambling to try to keep up with the ever-growing pile of simple, repetitive tasks.
You need help keeping up with the security alert volume and prioritizing the right alerts!
The disturbing upward trend in cyber security breaches has witnessed a spike in security investment. According to the Cyber Security Breaches Survey 2018,
- Over four in ten businesses (43%) and two in ten charities (19%) experienced a cyber security breach or attack in the last 12 months
- Three-quarters of businesses (74%) and over half of all charities (53%) say that cyber security is a high priority for their organisation’s senior management.
- Under three in ten businesses (27%, versus 33% in the previous 2017 survey), and two in ten charities (21%) have a formal cyber security policy or policies
This is where security analytics tools come into the picture. These tools help organizations detect and prioritize threats, and formulate responses against potential attacks. The solution might seem rather simple, all that needs to be done is get a security analytics platform, I assure you though, procuring a security analytics tool is no easy task.
Types of security analytics tools
In today’s vast threat landscape, there is a plethora of technologies and tools to choose from. Here are some to name a few:
SIEM: A security information and event management (SIEM) system is used to monitor, identify, record, and analyze log data to identify patterns that might indicate an attack and correlates information between different devices to detect any anomalous activity.
SOAR: Security orchestration, automation and response (SOAR) lets organizations automatically respond to security alerts. It replaces slow, manual intervention from conventional security systems with quick decision making and response.
- CASB: Cloud access security brokers (CASBs) as coined by Gartner are, on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.
- PAM: Privileged access management (PAM) enables you to manage, monitor and secure privileged accounts and users authorized to access them.
- UEBA: User and entity behavior and analytics (UEBA) is a process that observes the normal conduct of users and entities and detects any anomalous behavior where a user deviates from these “normal” patterns.
- NTA: Network traffic analysis (NTA) solutions monitor network traffic, flows, connections and objects for behaviors indicative of malicious intent.
- Malware sandbox: It is an isolated testing environment that are used to execute unverified programs that may contain malicious code, without affecting the application, system or platform on which they run.
- EDR: Research VP and Distinguished Analyst at Gartner, Anton Chuvakin has defined endpoint detection and response (EDR) as the tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.
With so many options out there, you need to analyze and find the right security analytics software to suit your enterprises needs. The question still remains though, how do you make the right choice?
How to choose the right security tool? Decoded by Kelly M. Kavanagh
The recently concluded Gartner Security and Risk Management Summit 2018 held in Mumbai on 30-31 August had many Gartner Security Analysts including Kelly M. Kavanagh and Sid Deshpande throw valuable insights on changing security and risk landscape and a comprehensive coverage of today’s top priorities for security and risk leaders. Kelly’s session ‘Tips for Selecting the Right Security Analytics Tools for Your SOC’ gives expert guidance on the practical method of selecting the right security tool.
First, get to the basics
Be aware about the current state of your security analytics before you get on with selecting the right tool for your enterprise:
- Kind of technologies you’re currently using
- Your concerns and requirements
- Resources and expertise you have
- Do you have Playbooks?
After all, finding the right security analytics tool is about making the right decision fiscally and technologically, because this decision goes beyond just security features.
The selection of the type of tool you need may vary with different use cases. There are a number of factors that need to be considered while selecting the right tool.
1. Size of the organization
The size of the company and the type of the industry plays an important role in the buying decision. For instance, while a small scale security analytics software might be sufficient for a small to medium scale business, it may turn out to be absolutely useless for a medium to large scale company unless its capabilities can be scaled as the industry grows. Similarly, a large scale security analytics tool may not make sense financially for a small business.
2. Capabilities of the tool
Security admins will need to first understand what are the capabilities of these tools. A detailed analysis should be made about what these tools can and cannot do. You should evaluate the objective of the tool based on the following quality metrics rather than the technique used by the tool:
- Anomaly detection - scope, detection and false positive rates
- Incident response - time to detect and time to remediate
New techniques do not always necessarily correspond to better detection. Before making a choice and deciding on a set of security analytics tools, see how they work, and how businesses deploy them.
3. Type of deployment
You also need to consider the type of deployment the software supports. The cost of hardware, software or virtual appliances can factor heavily into which security tool is right for a business. The tool you pick should be designed to support complex architectures and have the capability to scale out to complex service provider scenarios without compromising on the features or the capability of the platform.
4. Types of threats faced by your industry
Another factor that plays a major role in deciding the right tool is the type of threats a certain industry often faces or is most likely to face. Some security analytics vendors specialize in specific types of attacks such as Advanced Persistent Threats (APT) whereas some others specialize in specific sectors such as finance and healthcare. Choose a vendor that caters to your industry specific threats. For example, the education industry may be prone to attacks from actors such as APT groups attempting to gain access to sensitive intellectual property, while organizations in the financial services and insurance sectors face cyber threats from enterprise-like cybercriminals seeking financial account data or other data they can monetize, to make live fraudulent transfers.
5. Other capabilities
Security analytics tools also extend the capabilities of other security tools. If they can’t integrate with a business’ existing tool set, you may want to consider taking a look at another vendor.
6. Cost of the tool
At the end of the day you ultimately want to know how much is the tool going to cost you. Each vendor may charge differently so it is imperative for you to know what you are agreeing to. Many modern tools do not charge you a dime to get onboard. Once you know the upfront cost, your job doesn’t end here, you need to look into what the ongoing costs will be like. You should know if they charge a set fee every month or is it based on your usage. Some vendors charge per site or per user and this can get tricky. For every vendor you evaluate, understand how many users, sites, and workflows are included in the price and if there are any overage fees to be aware of so you can gauge your price threshold.
Ultimately each of us needs to understand that no two SOCs are alike and hence no single tool can be a one-size-fits-all. You have to gauge which tool best matches the needs of your enterprise and make the right choice.
As Mr. Kavanagh rightly said, the trick to select the right tool for you is to combine solutions that offer a near-real-time detection with those that provide incident response and forensic analysis capabilities.
The importance of these tools cannot be more emphasized. Security teams vary by size, vertical, expertise, and by what they need from threat intelligence.
You need to learn what these tools do, when they’re needed, and what do you need to pay attention to while purchasing them. Purchasing security analytics software would certainly make a business more secure in theory, but purchasing the right security analytics tools is what ensures it.