There are glaring holes in how enterprises currently tackle security analytics. By redefining the approach taken to remedy these challenges, analysts’ roles can be transformed. Patrice Puichaud, Head of Customer Engineering (Europe) for Google Cloud’s Chronicle explains how.
What are the top challenges organisations face to achieve effective threat detection and producing proactive security measures?
When it comes to proactive threat detection, the top challenges we see organisations face pertain to scale, cost, speed and productivity.
Accurate threat detection takes place when security teams are able to collect and store as much security telemetry as possible. Full detection requires full visibility. Current solutions for threat detection make it cost-prohibitive to keep all of the necessary security telemetries. This adds time to the security investigation process, causing threats to go undetected.
At the end of the day, the security landscape has changed. Security systems are easily generating petabytes of data, so it’s important to have the right tools that can accommodate this volume to help deliver accurate detection.
With all of your security data on hand, security teams can also perform proactive threat hunting and take advantage of simpler, more powerful analytics constructs like YARA-L, Chronicle’s new rules engine syntax. These techniques enable and empower tier 1 SOC analysts to increase their productivity and perform better incident response.
Amid the COVID-19 lockdown, there has been a surge in potential cyber-attacks such as email phishing, VPN-based attacks, enterprise network attacks and other threat vectors. What should companies do to get ahead of the attack curve and how is security analytics changing the game?
We definitely empathise with our customers when it comes to new security risks associated with COVID-19. There has been a surge of phishing attacks targeting employees and threat actors looking to compromise VPN systems.
Security analytics can help enterprises get ahead of this attack curve by making it easy to understand the scope of a phishing attack. Phishing campaigns, for example, use numerous variants such as malicious domains, URLs, and files which need to be quickly identified.
Using a security analytics platform, you can see the enterprise-wide prevalence of any indicator of compromise in a suspected phishing email. For example, if an email contains a link, you can search Chronicle for that link to find any and all network connections to it. If the email contains an attachment, you can search Chronicle for all occurrences of that file. From there, you have the ability to rapidly or automatically delete known and confirmed phishing emails or reset account credentials for phished users.
What are your customers’ main objectives when it comes to security analytics and operations?
The main objectives for implementing a security analytics platform are SOC productivity, the efficacy of threat detection, and economics. In the current climate, enterprises are looking to get more out of their security budget and the ability to do more with their technology. Security analytics allow a business to cut costs associated with storing security data, giving analysts the power to more efficiently perform investigations by having all security information in one place. New and more powerful threat detection frameworks like YARA-L also enable the detection of a broader range of threats in a more efficient manner.
In addition to cost-saving, there is a growing need to cut down on caseloads and increase time to detection and time to remediation. With the correlation provided by security analytics, analysts have broader threat coverage across the enterprise, including the ability to detect threats that operate low and slow.
Technologies that monitor cyber attacks generate a high volume of alerts from different systems that can’t all be analysed. Is there a way to prioritise the high-risk alerts?
We definitely see security teams suffer from alert fatigue and determining whether an alert needs to be escalated or marked as a false positive can be a time-consuming task. Using security analytics, investigation teams can come to conclusions faster by providing the right context to help understand the severity and determine action steps.
With a platform like Chronicle, you can perform retroactive threat intelligence scanning which looks at all incoming indicators of compromise and map it to your data automatically. As soon as a new domain, URL, IP or hash is reported by a threat intelligence feed, Chronicle searches through one year of historical logs to see if your organization is impacted and will also look for these indicators in the future.
Chronicle also provides context for an alert across three dimensions: the user, your enterprise assets, and the severity of the threat. By having full context, you can quickly answer questions like:
- What other suspicious behaviour has been seen on a particular device?
- Are there any new unauthorized domains or connections present in the network?
- Does activity tied to a specific user suggest anomalous behaviour, such as compromised credentials?
The last couple of years have shown security professionals slowly shifting to cloud-based security analytics. What drives that change and what are your predictions for the next couple of years?
The big shift we’re seeing is that security analytics has become a big data problem. Today, even mid-sized organizations may generate petabytes of security telemetry. Security teams, however, aren’t in the business of managing big data and the underlying infrastructure required to keep up with these volumes.
On top of this, budgets have largely shifted from capex to opex – meaning budgets won’t be spent on more hardware to support security telemetry. CISOs want their staff to perform security operations, not infrastructure management, which is why it makes sense to invest in SaaS-based security analytics with unlimited data storage.
For the next couple of years, we predict that the use of cloud-based security technology is going to change the game. For example, the capacity of the cloud to help bring shared intelligence to enterprises is incredibly powerful. We see the opportunity for sharing intelligence at both geographical and vertical levels. Imagine seeing increased attacks on organisations in a certain country in Europe, or a new phishing attack targeting banks and then being able to anonymise these threat signals to help ensure all of our customers are protected.
Patrice led the opening Keynote ‘Redefining Security Analytics’ at FranSec 2020! Watch Patrice’s keynote and every other session held at FranSec until 24th July by registering online at france.cyberseries.io.
Learn more about how Chronicle’s solutions can help your organisation at https://chronicle.security/
About Patrice:
Patrice manages a team of European technical experts dedicated to Google Cloud security products Chronicle, VirusTotal and BeyondCorp Remote Access with 20+ years’ experience in selling disruptive cloud, security and networking solutions. Prior, he led a team of pre-sales engineers worldwide for a next-gen antivirus / Endpoint detection and response solution successfully sold to many large enterprise companies and leveraging AI/ML and cloud technologies.
