SANS: Automated Threat Detection Better for Critical Security Controls

SANS: Automated Threat Detection Better for Critical Security Controls

Automated network threat detection can help meet the goals defined within the Critical Security Controls (CSCs), according to the SANS Institute.

The CSCs are a recommended set of actions for cyber-defense developed by the NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation's top forensics and incident response organizations. These are coordinated by SANS and are maintained by the Center for Internet Security (CIS) and are designed to mitigate modern attack profiles; they provide specific and actionable ways to stop attacks, with a goal to prioritize and focus a smaller number of actions with higher pay-off results.

Perhaps unsurprisingly, SANS has found that using data science, machine learning and behavioral analysis can complement or improve traditional security methods when looking to drive efficiency in cyber-response. This type of technology picks up where perimeter security leaves off by providing deep, continuous analysis of both internal and Internet-bound network traffic to automatically detect all phases of a breach as attackers attempt to spy, spread and steal within a network.

Analytical methods can be used to monitor critical performance characteristics, such as network traffic, CPU usage and port activity, and identify unique events or trends that exhibit the behaviors of malicious activities. Analytics can also be used to flag abnormal behavior of end users, applications and other elements inside the organization by identifying activities that depart from a normal baseline established over a period of time.

“Automated threat detection is making inroads to identify new patterns, detect events that may not match a specific signature, and determine behavioral abnormalities,” wrote Barbara Filkins, senior SANS analyst, in the white paper, “The Expanding Role of Data Analytics in Threat Detection.” She added, “Time-honored threat detection methods and perimeter-based security defenses add valuable layers of protection around information system assets, but neither is sufficient to defend completely against modern threats.”

Photo © mypokcik

Source: Information Security Magazine