Skip to content

Cybersecurity Analytics in the SOC

Learn about the use cases and major technology categories that make up cybersecurity analytics.

What are cybersecurity analytics?

SOC analysts suffer from alert fatigue caused by too many data sources and platforms, too little context in investigations, too few people, and too little time. Mature cybersecurity teams manage this challenge by leveraging an integrated set of data analytics capabilities from best-of-breed solutions to establish an end-to-end experience — from data collection to response.

Cybersecurity analytics allow for analyzing and enriching of both traditional and non-traditional security data sources with context to extract meaningful, actionable insight. Next-gen security analytics solutions must combine a petabyte-scale data platform with advanced techniques, including machine learning and anomaly detection, to enable analysts to identify the threats that matter most to the business.

Gaining Visibility with Data

Centralized log management

Centralized log management lays the groundwork for an enterprise’s data architecture by collecting, storing, analyzing and enriching all event data. Full visibility is the goal, but bringing in data from anywhere requires a shift in architecture, one built for petabyte-scale, high-speed ingestion and analysis. The modern SOC relies on an ELM platform to ease access to security data and provide context to inform threat hunting, detection, investigation and response.

 

Endpoint Detection & Response

EDR provides enterprise-wide surveillance on endpoints, enabling SOCs to identify threats through hunting techniques and validate potential trouble. Analysts use EDR for its rich visibility into enhanced endpoint data and ability to automatically execute on rules to respond to confirmed threats. But storage costs make it impossible for many companies to retain all their data.

Network Traffic Analysis

Threat actors are taking new approaches, stealthily breaking past network defenses. NTA combats these attacks by capturing, monitoring and analyzing all network traffic, which speeds detection and response. NTA solutions use a combination of machine learning, advanced analytics, and rule-based detection to reveal suspicious network activity based on network traffic data. SOCs can leverage this insight into network communications to identify potential malicious activity such as port scanning or DDoS.

Increase Context with Data Enrichment

Security Information and Event Management

SIEM has long been considered a key component of SOC technology. SIEMs are used to monitor logs and detect and alert on high-priority events for rapid  investigation. However, traditional SIEMs wasn’t built for the petabyte-scale world of today. As a result, they struggle with query performance, which impacts the speed and accuracy of investigations. SIEM is only as powerful as the SOC’s ability to enrich log data with context, deliver insight, and put that insight to work through orchestration, automation and facilitated collaboration. The next-gen SIEM brings together key capabilities of the security stack, such as detection and orchestration, into a single operational view to enable analysts to focus on what matters.

Threat intelligence

Natively embedding threat intelligence to deliver context-rich data enables analysts keep up with adversaries. SOC analysts who leverage threat actors’ tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) track, observe and understand potential threats in their environment. However, this is dependent on high-confidence, high-fidelity intelligence that is relevant to the organization. Otherwise, the torrent of information dispersed across multiple products and threat feeds can obstruct the analyst’s view, rather than inform it. Modern SOCs participate in both internal and external threat sharing to increase the quality of their intelligence and contribute to the security community. The SOC should converge on a central location for all enriched data to drive more actionable insight.

Threat Intelligence Best Practices

User and entity behavior analytics (UEBA)

User and entity behavior analytics solutions use a combination of baselining and machine learning analytics to detect unusual entity behaviors that deviate from the established norm. This creates a twofold challenge: sophisticated attackers who conduct long-term reconnaissance to learn and mimic organizational behavior patterns can hide in plain sight, and UEBA requires continual tuning to reduce the number of false positives. While data provided by UEBA solutions is becoming standard, the category needs new approaches to behavior modeling, as well as integration with SIEM and ELM for richer context.

Automating Workflows and Analytics

Security orchestration and automation technologies

SOC automation technologies can shorten time-to-action by taking over repetitive tasks such as triaging low-priority alerts, automating workflows, or orchestrating process flows. Security automation and orchestration increases analysts’ ability to operationalize what matters through automation of security content, workflows and complete contextual intelligence. The space continues to evolve from lower-level incident response to more sophisticated response, including case management, comprehensive reporting, and facilitated collaboration. This enables analysts to shift their focus to more strategic tasks. The seamless integration of automation with security analytics is a determining factor in the SOC’s ability to act on insight.