August 23, 2016
Joe Franscella

Why We Study Breach Detection Analytics

<p>Preventing cyber-security incidents is ideal, but not an entirely realistic goal. Now that <a href="" target="_blank">89% of businesses are reporting a recent network breach</a>, the attitude is shifting to prioritize detection and response. Planning for dealing with the aftermath of a successful breach has been reframed from "if" to "when." The goal being to improve response time, mitigate damage and improve your strategy based on the lessons learned.</p><p>The key outcome of studying breach detection analytics is to identify actionable responses. This understanding can only come after capturing event data and correlating it to the actions of real-world actors. Ideally, you have a threat intelligence platform that is capable of studying data from different sources together. Studying traffic to and from each segment of the network separately makes understanding the hacker’s methodology very difficult.</p><p>There is a wealth of information collected on known hackers and their tools. Signature-based tools like anti-virus software, SIEM packages, and other network detection tools are not enough for a standalone security solution. Now, zero-day malware packages unique enough to slip through can be created on demand. However, these platforms can be fine-tuned to suit your environment, and are still an important component in the security arsenal.</p><p>Looking closely at logs you may find unusual activity in access control permissions, firewall configuration, and suspicious changes or uses of authentication – changes a signature based tool cannot detect. Generally, applications are used to keep around three months&#39; of back data but are coming around to storing more based on observations about the timing of activities. Preferably, your security solution is sophisticated enough to gather and process all aspects of internal and external traffic, and compare it against the reference file. This task becomes <a href="{page_3232}">greater as more data is collected</a> by both the user and the entity hosting the data on known threats.</p><p>Breach detection analytics help experts trace the event back to its origin. The location, or locations, of where suspicious or overtly hostile traffic originates from is important. Understanding if the threat occurred because of an internal problem or hackers came in via a weakness in your barrier is a primary goal. It makes all the difference when determining how to prevent the event from recurring.</p><p>Breach detection analytics are necessary to determine which assets were compromised. Only once you discover all that occurred can you begin the cleanup process.</p><p>For many users, experiencing a network breach is the beginning of the problem. If you’ve collected data about private individuals you must take steps to guard that info, and be accountable when <a href="">personally-identifying data is accessed by hackers</a> on your watch. This applies to both personally identifying information (PII) and general personal information.</p><p>There is a lot to be learned in the aftermath of a cyber-security crisis. Using breach detection analytics to investigate how the hackers got in, what they did and why, can teach you a lot about your own vulnerabilities. Make good use of lessons learned during a threat by adding new correlations. Modifying event alerts to reflect the actual priority of the asset will reduce incident response time.</p><p>By looking into the past, you can determine actions for the future. Forecasting the likelihood of future attacks and bolstering protection for the most valuable assets is a complex yet important process.</p><p>This complimentary downloadable whitepaper discusses how properly focused observation and tracking efforts provide intelligence from inside the enterprise by monitoring for indicators of compromise such as odd point-in-time activities on the network, unusual machine-to-machine communications, outbound transfers, connection requests and many other suspicious activities.</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-8600fcd3-0133-4aff-80ad-6b66cb98b9d6"><span class="hs-cta-node hs-cta-8600fcd3-0133-4aff-80ad-6b66cb98b9d6" data-hs-drop="true" id="hs-cta-8600fcd3-0133-4aff-80ad-6b66cb98b9d6" style="visibility: visible; display: block; text-align: center;"><a class="cta_button " cta_dest_link="" href="" id="cta_button_458120_1bcf61e7-266b-47f2-bb9a-3e836ab23e09" style="margin: 20px auto;" target="_blank" title="Download Here">Download Here </a> </span> <script charset="utf-8" src=""></script> <script type="text/javascript">hbspt.cta.load(458120, '8600fcd3-0133-4aff-80ad-6b66cb98b9d6', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.