Why Security Event Correlation will Fail You
Traditionally, security operations have been largely driven by known indicators and rules that generate alerts, looking for attacks occurring within a pre-set correlation time window. Security Analysts continue today to grapple with accurate identification and correlation of attacker activity over time. Risk Weighted Event Score Threshold (RWEST) is the most popular correlation algorithm that performs this type of correlation, however the approach is unable to detect advanced threats due to two main challenges: time and complexity. Thus, standard security operations being overly reliant on event correlation is destined for failure.
A traditional SIEM technology is largely incapable of executing such analysis because it is looking at a very short snapshot in time, but not continually correlating activity historically. One of the main issues with expanding the correlation time window is understanding the full timeline for different activities. For an automated brute force password attack, you may be only looking backward for a couple of minutes, however a user that maliciously is trying to upload documents to a file sharing site may require a longer time horizon of hours or even days or more.
Security On-Demand’s behavioral threat detection platform (ThreatWatch) is designed to overcome the challenges of time bound correlation by using behavioral analysis that can detect changes in behavior. In my next blog, I will share more insight on how Behavioral Analytics should replace, not augment traditional Security Event Correlation.
Behavioral Analytics using the “Deny, Deny, Allow” Paradigm (Part I)
One innovation that is needed is behavioral analytics that monitor activity of an attacker, asset, user, and network over time and look for and alert on changes from the norm. One of the many novel behavioral analytics that we find useful is termed “Deny, Deny, Allow” or “DDA”.
DDA analysis looks for changes in behavior when a particular attempted activity is denied multiple times, but then is allowed. You can think of it in terms of a brute force password attack, in which an attacker uses a variety of passwords in an attempt to log in to a device or account, is constantly denied, and then allowed when the attacker finds the right password. This same principle applies to many different use cases ranging from network scanning probing for vulnerable ports, attempts to remove data off of a network, or phishing- to get through email filters.
Our approach requires the analysis of all of the allowed traffic as well as the denied or dropped traffic. This is an entirely different challenge, because today’s log management and ingestion engines typically cannot handle the high volume of traffic that the logging of Allowed traffic brings.
Knowing that hackers tweak and change their tactics to hone in on their target, Security On-Demand can detect changes in user behavior that is continually and automatically re-baselined on a constant basis to ensure that normal behavior changes do not get flagged as false positive alerts.
In Part II, I will share more about the DDA Paradigm and how it can be used to perform advanced threat analysis and detection.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.