Trending – A Way to Increase Your Customer Value and Find Hidden Gems
Security analysts spend hours each day in a somewhat monotonous position of reviewing hundreds, if not thousands of alerts through various types of reporting consoles. When an analyst sees a “Spoofed Email” alert, they have a process for responding, when they see an attempted “Denial of Service” against a web service, they have a process to respond to that. What about those rare events that occur and never generate an alert but is in fact an active intrusion? How does a Security Analyst respond to that, how would they be able to detect its occurrence, that Hidden Gem?
Once that hidden gem is discovered, a potentially sophisticated intrusion utilizing legitimate “normal” traffic within your network, it will go down as a “big event” inside of your organization to all of those involved. Those discoveries not only outline the importance of your frontline defense, but also outline the need for a mechanism to bring these types of occurrences and other sophisticated threats to the surface for discovery. How does an organization do this effectively, and with the capabilities they already possess?
Trending. Trending is an effective way, for any organization to immediately spot network activity or host behavior that falls outside of what is considered normal, even a little outside. Albeit not necessarily quick or easy, it’s value can be priceless in any organization.
Imagine for a second you have complete network and host activity trending data built in to your daily reporting and alert consoles that your analysts spend hours in front of. Suddenly one of your SQL servers attempts a GET request directly to an IP address on SSL port 443. Without that trending information of normal behavior of your server activity, how would you detect this? With trend information, your analysts immediately identify this as “out of the norm”, and begin their investigation.
Everything is fine, so what’s the problem?
One of the issues within any security organization is that the day-to-day monitoring and response to alerts are not usually anything to write home about. The bigger problem is that your customer doesn’t see anything considered newsworthy coming out of the security organization during the business-as-usual times. This can cause misperceptions and missed opportunities.
Turn this around…
Educate your customer on the day-to-day business being done to secure their networks. Daily scans are important. Spam emails, phishing emails, etc. can pose serious risk. If you only tell the customer about the big events, and they don’t happen very often, maintaining a proactive security posture may be undervalued. Business-as-usual means that your security practices are successful. While the trends you are monitoring may not be as significant as a major intrusion, they still are happening on their network every day. Most customers don’t realize this.
Trending: It could be Cyber Security for Everyone
Your customer most likely doesn’t place the importance of Cyber Security as high as your security analysts do, so how do you make maintaining a proactive security posture meaningful? When a major intrusion happens, does your customer really understand what is at stake, or what has potentially been exposed?
The answer could be trending. Trending can be used to provide customers a view of what you are seeing on a daily basis. It can be used to educate your customer, so that they can differentiate between normal activity and a more significant threat. Trending provides data on what is happening in their network, and can make them feel much more involved. Sharing trending with your customer can go a long way toward keeping them abreast of what is going on from a security point of view.
Trending: It Leads to Discovery
Are you missing key data? While it’s not easy to see, trending can sometimes expose things you never noticed before.
Trending of data can:
- Show patterns over time
- Uncover identity issues (not easily identified by looking at individual events)
- Facilitate predictive analysis.
This can wrap back into showing value, and educating your customer. Nothing is more impressive to the customer then predicting the next event (before it happens), and putting preventive measures in place proactively.
Trending: It Comes with a WARNING Label
Trend results can be taken out of context. You should ALWAYS be prepared to dig down into individual events, and explain them if asked. (By not explaining the details, you risk diluting your value as a security operation.) Equally important, you need to make sure that you let the audience know they are seeing a baseline of data. Avoid the temptation to prove more then you should with trending, especially when you start out. The more historical data you have, and the longer you look at it, the easier it is to make more accurate judgments from the data.
What’s the Takeaway?
Trending isn’t always quick and easy, but the end state data is invaluable to those who work to protect the network. To do it well without increasing your workload will be a challenge, you will want to automate as much of the trending collection as possible. The real challenge is to find a reporting format that is understandable, educational and effective for the customer. Those reports will not only provide value to the customer, it will show that the time and money invested in trending was well spent. Trending – it could increase your value to the customer, and assist in uncovering that hidden gem.