Splunk recently released a security eBook to help companies understand the challenges and action steps to a security program that utilizes data to stay ahead of attacks. Here is a breakdown of the suggested six stages of the Analytics-Driven Security Journey, so you can get started on your voyage.
Stage 1: Collection
Collect basic security logs and other machine data from your environment.
For the first stage, we start at the bare basics. At the initial level, machine data is collected after being generated by the foundational components of your security infrastructure. What does that warrant?
- Critical activity logs are moved to a separate system where they can’t be easily tampered with by an attacker
- Access to data necessary to perform basic investigations
- Insight into raw materials to begin gaining a deeper understanding of the environment you must defend
Stage 2: Normalization
Apply a standard security taxonomy for asset and identity data.
This stage you begin implementing a security operations center to track systems and users on your network, and to consume a larger selection of detection mechanisms from vendors and the community. Even if you don’t plan to stand up a formal SOC, normalized data streamlines investigations and improves the effectiveness of analysts. The benefits of this stage include:
- Search performance is improved dramatically through the use of accelerated data models associated with CIM
- Asset and user details are correlated to events in your security log platform
Stage 3: Expansion
Collect additional high-fidelity data sources, like endpoint activity and network metadata to drive advanced attack detection.
The data sources in this stage unlock a very rich set of detection capabilities. Threat hunters rely on DNS and advanced endpoint data to uncover and track adversaries dwelling in the network. Here’s what you will get after completing this stage:
- The foundation for advanced detections have been laid
- You now have the ability to match some common indicators of compromise
Stage 4: Enrichment
Augment security data with intelligence sources to better understand the context and impact of an event.
High-performing security teams enrich their data with internal and external sources. A wealth of contextual and investigative knowledge including threat-
intelligence feeds, open-source intelligence (OSINT) sources, and internally-sourced information allows your security personnel to extract more value from the data you are collecting to detect security events and incidents sooner. After the Enrichment Stage, your team will:
- Be able to understand the urgency of an alert based on the criticality of the asset
- Quickly augment alerts in your environment by matching them against threat-intelligence feeds, pivoting to other systems, and initiating additional context gathering activities
Stage 5: Automation & Orchestration
Establish a consistent and repeatable security operation capability.
Mature organizations are able to continuously monitor their environment for alerts and triage, as well as respond to threats in a consistent, repeatable and measurable way. As we get to the end of the journey, this phase will:
- Give you the ability to track incidents
- Allow regular measurement of analyst effectiveness
- Allow teams to take action according to prescribed playbooks
- Automate simple response actions and combine them into more sophisticated orchestration
Stage 6: Advanced Detection
Apply sophisticated detection mechanisms, including machine learning.
Find anomalous behavior and unknown threats by applying machine learning, data science and advanced statistics to analyze the users, endpoint devices and applications in your environment. After the final stage, you are:
- Employing the most advanced techniques available to identify unknown threats
- Employing new detection mechanisms as they become available, leveraging your team’s expertise and leveraging outside research organizations
It may be a long road ahead, but with the help of Splunk, we have uncovered the straightaway path so you can get started on your journey.
Download the Splunk Essential Guide to Security eBook to learn more details on each state and tips on how to solve your toughest security challenges.