August 8, 2016
Joe Franscella

What We Get from Breach Detection Analytics

<p>With the growing threat of cyber-security events, detection and response are as or more important than prevention. Breach detection analytics facilitate detection, identification, and response. Whether the <a href="">hackers accessed a honeypot</a> or broke into the usable portion of your network, the information trail left after an attack includes many telling data points. Past and current behavior can be analyzed to predict upcoming trends.</p><p>Discovery of a breach generally happens upon receiving an alert from an application in your security configuration. Sources of breach detection include:</p><ul><li>SIEM platforms are the first place analysts can look for breach attempts. Once the alerts are configured, they are useful tools for studying traffic from multiple sources.</li><li>Network devices like firewalls, routers, switches, and proxies all keep logs. Changes to firewall configurations or access permissions are examples of indicators of compromise.</li><li>File integrity monitoring (FIM) controls guard important places on your network by limiting access to them to an as-needed basis. Changes in permissions reveal which logins are being abused.</li><li>If you use whitelisting processes, looking at unauthorized changes can be telling as to which files are targeted or when the threat actor was at work.</li><li>Antivirus platforms catch random network scanning bots, phishing emails, and well known malware. Blocking or instantly patching these viruses offers basic protection and an early indication of threats to come.</li></ul><p>Those logs generate a great volume of information which IT experts can search, sort, and analyze. When compared to existing lists of threat actor attributes, the threat can be correlated to known identifiers. The analysis platform must also have algorithms which develop <a href="" target="_blank">baselines for normal behavior</a>. Taken in context of your individual situation, much can be learned when you examine data from multiple sources over 3-12 months preceding the breach. Some major questions answered by breach detection analytics:</p><ul><li>Which files were accessed?</li><li>Was the threat external or internal?</li><li>Where was the point of entry?</li><li>Was encoding cracked, and how?</li><li>When did the hackers actually begin their attack?</li><li>Did they change any settings or links?</li></ul><p>From breach detection analytics, you can build your own collection of signs of potential threats and <a href="{page_253}">share threat intelligence among trusted circles</a>. As this process continues, activities which trigger false alerts can be identified. Configuring alerts to de-prioritize or ignore “noise” improves the reliability of the entire alert feed.</p><p>Many large-scale attacks are preceded by smaller foothold break-ins. Breach detection analytics give you the benefit of hindsight from these experiences. Looking back at past events is useful to predict future trouble. For example, if you discover the breach entered through a phishing email, you can tighten restriction on email filters and redouble your security education and policies. Similarly, if you realize hackers are targeting a specific type of file, you can limit access to that area of the network.</p><p>Forensic analysis helps identify significant indicators of compromise and better prioritize similar events in the future. Event alerts automatically become more reliable the more data they can analyze to detect patterns.</p><p>Security monitoring creates a great volume of data. Keeping logs for as long as possible is preferable, but <a href="{page_3232}">more data means a greater workload</a> for those analyzing it. Consider using a platform which sends your logs out to be reviewed against an extensive archive of known threats, stored off-site.</p><p>Learn about <strong>Anomali Match</strong> here:</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-522663a1-2e23-4655-9c36-592b876fdb70"><span class="hs-cta-node hs-cta-522663a1-2e23-4655-9c36-592b876fdb70" data-hs-drop="true" id="hs-cta-522663a1-2e23-4655-9c36-592b876fdb70" style="visibility: visible; display: block; text-align: center;"><a class="cta_button" cta_dest_link="{page_3455}" href=";placement_guid=522663a1-2e23-4655-9c36-592b876fdb70&amp;portal_id=458120&amp;redirect_url=APefjpGFBvqfVQgvXOqxPS6tKT5bDNJJRY4cuDMgrr6G2Wo7glKvM2z9b9ZYNwc1EfcHnW67bmvNb8D8MUexWfMZOqtYSDpmmbU9RZalrIQ73sxP5vGR4kl_plGr8zH2v9NAJsj4ZiX6oS9J-an6I0JEWfVhKkHUdA5sQz3UsMdm85reTNoxD1fsewECc4hWP9bek8K-YVka1UtCMmvj6LU5OvrjRM3A5C5wjNbkp0Pq6P9DAQTGmupUs3kXdJ0i1kMRU1lOtg3o0qE7xu7Pf3JcQRMco3aCn6C_Sx2ZcaeKIGWggSxbU308AqdiGsyE2pF-EFXVEdCzo0UoCDTxa7U4n4HG7rLdRCqmJ0iI-0jIJPijwojSahzkQXoOINMHVKUxbWj3HYpW&amp;hsutk=2767d93d6471d657e0c9f660e4b58ef8&amp;;;pageId=4316310293&amp;__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478822660171.1478831861868.179&amp;__hssc=41179005.54.1478831861868&amp;__hsfp=1335165674" id="cta_button_458120_ae87b536-87f5-4cf1-85e5-1cf25faf63c6" style="margin: 20px auto;" target="_blank" title="Free Download Here">Free Download Here </a> </span> <script charset="utf-8" src=""></script> <script type="text/javascript">hbspt.cta.load(458120, '522663a1-2e23-4655-9c36-592b876fdb70', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.