Security analytics refers to the ability to perform automated analysis of collected and aggregated sources of critical data for threat detection and security monitoring. Security analytics helps to provide SOC teams with better visibility into the unique environments of organizations, improving threat detection, investigations, and response. Security analytics is seen as an evolution of SIEM, which has historically provided log data collection and aggregation.
Security analytics tools help synthesize raw data collection and make it actionable. Commonly referred to as security analytics platforms, these tools are critical for managing infrastructure complexity, increasing data volumes, and quickly identifying evolving threats. Vendors who offer security analytics platforms also typically include SIEM and SOAR capabilities as part of the solutions.
According to Forrester, “A security analytics (SA) platform converges logs from network, identity, endpoint, application, and other security relevant sources to generate high-fidelity behavioral alerts and facilitate rapid incident analysis, investigation, and response.”
-The Security Analytics Platform Landscape, Q3 2022, Forrester Consulting, August 2022
While security analytics platforms have been around for decades, the market continues to evolve as modern security operations teams seek the consolidation of tools and demand more automation to drive better security outcomes.
The security analytics market is mature, but SOC requirements continue to expand. Security analysts need to do more with less, and they also need the technology they use to do the same. Organizations should look for the following capabilities and determine which features they require most to fit their needs and budget requirements.
Machine Learning
Security analytics platforms have technologically evolved by automating data analysis and using machine learning (ML) algorithms to apply modeling in real time, helping organizations to reduce analyst workloads and improve security. Learn more about machine learning here: What is Machine Learning?
Data Collection and Analysis
Automated collection, real-time analysis and monitoring should include, but are not limited to, logs and data of the following types:
It is critical to be able to collect and store vast amounts of data from multiple sources.
MITRE ATT&CK Mapping
SecOps teams have been quick to adopt the MITRE ATT&CK framework as part of security operations, and therefore most vendors now map their solutions to the framework for detection, investigations and response. The ability to granularly map to ATT&CK is a good indication of the quality of the analytics because it indicates the analytics engine is able to interpret the data it's observing or is being collected.
Security Orchestration and Automated Response (SOAR) and Threat Intelligence Platform
The combination of analytics and automation creates the opportunity for security analytics platforms to deliver intelligent operations with the ability to identify threats and automatically respond to them. SOAR provides the ability to automate actions and responses based on the analytics.
There are five main benefits security teams can realize from security analytics:
Historically, one of the disadvantages of SIEM is the reactive vs. passive approach to security. Security analytics began to emphasize the actual analysis of data instead of just data management. Noting this limitation, most “next-gen” SIEMs have added more functionality, and the line between SIEM and security analytics continues to blur. Security analytics has evolved quickly due to the ability to analyze and provide automated outcomes.
As we look to the future of security analytics as well as the SOC, it is important for organizations to develop a strong security strategy, and partner with a vendor with a track record of innovation as well as a well-defined product vision. The security market continues to trend toward tool consolidation, and endpoint security solutions like EDR and XDR have started to overlap in capabilities with security analytics and SIEMs as organizations seek highly enriched telemetry, speedy investigations and automated response.
Stopping today’s threats requires a radically new approach to security operations. Cortex XSIAM helps the modern SOC evolve from a reactive and human-first approach – that cannot scale to keep up with ever-increasing threats – toward the vision of an AI-driven, autonomous SOC. XSIAM embeds automation and analytics wherever possible to help outpace threats, provide near-real-time response and reduce SOC costs.
The Cortex product family – including Cortex XSIAM, Cortex XDR, Cortex XSOAR and Cortex Xpanse – offers AI-driven, scalable and comprehensive security for the SOC of the future.
For more information on Cortex, view the following resources:
Cortex XDR
Why Cortex XDR