As the threat landscape continues to get more complex, security analytics are becoming essential for identifying, preventing and responding to threats.
As a result, recent research suggests that the security analytics market will grow by more than 16% by 2026.
Today, security products offer a variety of different analytics modules, either as separate parts of a platform like a SIEM or as individual products.
This often include analytics for network traffic, behavior or UEBA, identity, IoT devices, cloud, logs and endpoints and more.
All these analytics are important for detecting various threat actor tactics, techniques, and procedures, such as account compromise, privilege access misuse, data theft, malware, lateral movement, device discovery, covert channel exfiltration and more.
Analytics modules typically are powered by some form of machine learning and sit on top of a data lake.
How much value an organization gets out of these analytics depends on two factors: 1) if those analytics modules are unified or separate, and 2) if they use a rules-based engine or true adaptive machine learning.
In this article, we're going to explore the value of unifying multiple analytics streams and explain how it helps organizations determine their overall security posture and risk.
While each analytics module provides useful information on its own, when unified the value increases exponentially.
Knowing these two facts requires two completely different set of analytics and data that must be connected to show the full picture.
Having separate analytics is a resource burden.
Unified analytics connects outputs from each system to establish context and identify relationships between them.
By unifying this different telemetry and applying the corresponding analytics teams can assess risk more accurately, better target a response, be more transparent on the process, understand the entire attack more quickly, reduce threat hunting costs, and improve overall security.
Not all solutions make this easy; in a survey conducted at RSA 2023, 42% of respondents said it took them weeks or longer to add new data sources to their SIEM and nearly half only chain together endpoint and network analytics.
Unifying analytics modules is only part of the equation.
Finally, adaptive ML does a better job overall of finding relationships between data because it's not restricted to preset inputs.
Because it has this context, the analytics throws far fewer false positives.
Unified analytics based on true, adaptive ML offers many advantages over separate, rule-based analytics including reducing time-to-discover and time-to-remediation.
With more solutions entering this space, it's becoming even more difficult to evaluate analytics.
Amol is a distinguished security professional with over 15 years of experience in delivering security and risk management solutions for Fortune 500 customers across the globe.
This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Sun, 24 Dec 2023 06:13:06 +0000