Trending – A Way to Increase Your Customer Value and Find Hidden Gems

Security analysts spend hours each day in a somewhat monotonous position of reviewing hundreds, if not thousands of alerts through various types of reporting consoles. When an analyst sees a “Spoofed Email” alert, they have a process for responding, when they see an attempted “Denial of Service” against a web service, they have a process to respond to that. What about those rare events that occur and never generate an alert but is in fact an active intrusion? How does a Security Analyst respond to that, how would they be able to detect its occurrence, that Hidden Gem?

 Once that hidden gem is discovered, a potentially sophisticated intrusion utilizing legitimate “normal” traffic within your network, it will go down as a “big event” inside of your organization to all of those involved. Those discoveries not only outline the importance of your frontline defense, but also outline the need for a mechanism to bring these types of occurrences and other sophisticated threats to the surface for discovery. How does an organization do this effectively, and with the capabilities they already possess?

Trending. Trending is an effective way, for any organization to immediately spot network activity or host behavior that falls outside of what is considered normal, even a little outside. Albeit not necessarily quick or easy, it’s value can be priceless in any organization.

Imagine for a second you have complete network and host activity trending data built in to your daily reporting and alert consoles that your analysts spend hours in front of. Suddenly one of your SQL servers attempts a GET request directly to an IP address on SSL port 443. Without that trending information of normal behavior of your server activity, how would you detect this? With trend information, your analysts immediately identify this as “out of the norm”, and begin their investigation.

Everything is fine, so what’s the problem?

One of the issues within any security organization is that the day-to-day monitoring and response to alerts are not usually anything to write home about. The bigger problem is that your customer doesn’t see anything considered newsworthy coming out of the security organization during the business-as-usual times.  This can cause misperceptions and missed opportunities.

Turn this around…

Educate your customer on the day-to-day business being done to secure their networks.  Daily scans are important.  Spam emails, phishing emails, etc. can pose serious risk.  If you only tell the customer about the big events, and they don’t happen very often, maintaining a proactive security posture may be undervalued.  Business-as-usual means that your security practices are successful.  While the trends you are monitoring may not be as significant as a major intrusion, they still are happening on their network every day.  Most customers don’t realize this.

Trending: It could be Cyber Security for Everyone

Your customer most likely doesn’t place the importance of Cyber Security as high as your security analysts do, so how do you make maintaining a proactive security posture meaningful?  When a major intrusion happens, does your customer really understand what is at stake, or what has potentially been exposed?

The answer could be trending.  Trending can be used to provide customers a view of what you are seeing on a daily basis.  It can be used to educate your customer, so that they can differentiate between normal activity and a more significant threat. Trending provides data on what is happening in their network, and can make them feel much more involved. Sharing trending with your customer can go a long way toward keeping them abreast of what is going on from a security point of view.

Trending: It Leads to Discovery

Are you missing key data?  While it’s not easy to see, trending can sometimes expose things you never noticed before.