Security Analytics Tools Need to Understand Normal Behavior across IT

New SIEM functionality from LogRhythm baselines behavior for anomaly detection and security automation

When I look toward the future of security analytics, there are a few predictions I can make with absolute certainty. In the very near future, security analytics tools will: 1. Collect, process, and store terabytes of data on-line at all times. 2. Correlate data instantly and simultaneously from all layers of the technology stack. 3. Associate data patterns with users and devices. 4. Provide greater intelligence for incident detection and automation for incident response. Enterprise organizations have an urgent need for these types of security analytic capabilities and are willing to rip and replace older tools to get there. This will have a profound effect on the SIEM market as innovative technology companies have a golden opportunity to disrupt the status quo. Case in point: LogRhythm made an interesting announcement last week that could serve as a harbinger of things to come. The Colorado-based SIEM vendor introduced what it calls “multi-dimensional behavior analytics.” Forget the fancy name; LogRhythm can now collect application, asset, host, network, security intelligence feed, user, vulnerability, and other types of data and then establish a baseline of what normal IT behavior looks like. Once this model is created, Log Rhythm can detect anomalous behavior across any individual IT entity or combinations of IT entities (such as end-to-end application flows to particular users and/or groups). When CISOs have a good idea of what is normal, it is far easier to create rules for workflows, forensic investigations, and automated remediation. With its new product release, LogRhythm figured out something that the security industry has long overlooked. Many security analytics platforms have advanced capabilities for data correlation and custom rules generation. The problem is that information security analytics have grown so complex that many security professionals have no idea what to look for or how to tune their systems. LogRhythm alleviated this human knowledge gap by making its technology more intelligent. In this scenario, computers do the heavy lifting analytics leaving humans to react quickly to these analytics with business, policy, and technology decisions. Over the past 10 years, cybersecurity monitoring has progressed from monitoring firewalls and IDSs to multi-dimensional quantum analytics. Since most security professionals have no idea how to cope with this exponential shift, we need security analytics tools like LogRhythm that do. Without them, we don’t stand a chance.

Cybersecurity market research: Top 15 statistics for 2017