, ,

How Threat Hunters Use Data Analytics to Shut Down Attackers

Here’s the bad news: There’s a good chance that a malicious actor has snuck onto your network and is waiting to attack. That actor might lurk on your network for weeks, months or even years. And yet the attack, when it finally happens, will seem out of the blue.

That’s a classic example of an Advanced Persistent Threat, or APT. Once an APT is on the network, a bad actor can look for security gaps, gather credentials and wait for the right time to launch an attack when the network or administrators are most vulnerable.

Agencies run a lot of different security tools to stay on top of threats, including APTs, but the tools don’t have a comprehensive view of the network. Plus, when a lot of time passes between the intrusion and the exploit, context can get lost. What exactly happened? Was data stolen?

But here’s some good news: Those tools generate a lot of data, and you can put that data to use.

We’re talking about data from network and system logs, as well as security scans, each providing a different perspective on the network. That raw data is typically fed into a security information and event management, or SIEM system for processing.

Unfortunately, the more data the SIEM receives, the more complicated it is to process. Inevitably, the SIEM will generate countless false positives, leaving the real threats obscured.

It’s like trying to play a massive game of connect-the-dots. All those dots don’t mean anything unless you have the key that tells you which dots connect to which. That’s when the picture takes shape.

In the same way, agencies need the ability to sort through all of the data and figure out which data is meaningful and which is just noise. Then the real picture emerges, providing them with a single view of risk across their networks.

The key is to augment the SIEM with a data analytics platform.

The analytics platform sorts through the raw data, filtering out the false alerts and reducing the volume of data to be analyzed. The less data there is the less it costs to process and the clearer the picture.

The platform can enrich curated data with information pulled from threat intelligence feeds and with agency-specific data such as asset and user information, making it more useful to analysts and threat hunters.

It also can improve visibility by taking a long view of APTs. Using machine learning and artificial intelligence, agencies can deploy models to classify data and detect anomalies. This ability to spot unusual behavior over time makes it easier to detect many hidden threats.

A data analytics platform also provides real-time alerting. When an immediate threat is detected, alerts appear on a central console, enabling staff to stop an attack and minimize damage.

Let’s look at some best practices for implementing a data analytics platform with a SIEM.

  • First, avoid vendor lock-in. You should be able to own your data, controlling how much you retain, in what format and who can access it. An open-source data analytics platform makes that possible.
  • Second, deploy the platform as part of a zero trust approach. Zero trust is an emerging security approach that is already changing how we view network security. Filtering data to better focus on actual threats helps to support zero trust.
  • Third, look beyond your own walls. When securing your data, be sure that you account for data held by your critical partners.

Cloudera provides a data platform that is highly scalable, enabling agencies to store more security data while keeping a lid on costs.

The best prevention of today’s data attacks, and APTs in particular, is proactive data analytics. Connecting the dots stops the malicious actor from getting away with your intellectual property, personally identifiable information, or other sensitive data.

This article is an excerpt from GovLoop Academy’s course “How Threat Hunters Use Data Analytics to Shut Down Attackers,” created in partnership with Cloudera. Access the full course here.

Leave a Comment

Leave a comment

Leave a Reply