Security Analytics and Intelligence platform to identify high-risk threats with real-time correlation

Mounika Raghavarapu   

In the recent years, the growing number of information security threat is forcing organizations to deploy tools which can upgrade the competence of their existing security infrastructure. Deploying security analysis tools and analytics software will allow large and medium sized organization to collect, filter, integrate and link various types of security event information, so as to acquire a more comprehensive view of the security of their infrastructure. As a part of IT security analysis most of the smaller companies are today, deploying, endpoint protections and deeper network defences. If there is a security threat in an infrastructure, the security analysis tool will help organizations in identifying and eliminating the threat from the architecture.


Purpose of security analytics:

With security analytics the IT professionals can detect the attacks as fast as possible, they can block or stop such attacks and provide in detail information to re-build an attack. This is done by collecting, correlating and analysing extensive series of data. That way the companies will detect the vulnerabilities exploited to breach their systems and address weaknesses in their existing infrastructure.

Information Security Analytics dissipates the myth that analytics in the context of data security area is constrained to simply security incident and event management frameworks and basic network analysis. Rather these analytics helps organizations to mine information and recognize patterns and connections in any manifestation of security data.

Security risk Analysis:

Security risk analysis process facilitates organizations in tracing key informatics through which effective decisions can be made pertaining to information security. This analysis recognizes the current security controls in the infrastructure, measures vulnerabilities, and assesses the influence of threats on each part of vulnerability. In most of the cases, the cost incurred for performing risk analysis will be lesser than the impact of risks and the budget fixed for security solution which is intended to manage such risk. Risk controlling cost must not exceed the loss if the risk is left unseen. If the solution for the risk is exceeding the loss value of risk, then the security analyst will take a decision whether to solve the risk or not. If remedy of such risk may eliminate many other risks, then the analyst will solve such risk.

A security risk analysis is an investigation of the association among assets, threats, vulnerabilities, and countermeasures to regulate the existing level of risk. Compiling of Information security and risk assessment starts with recognizing the data Assets, sensitivity of data, values, countermeasures, probable threats. This data is later used to compute vulnerabilities and risks. The system risk analysis procedure comprises of eight different, yet interrelated steps.

  • Phase 1:  Identify and valuate Assets
  • Phase 2:  Identify Applicable Threats
  • Phase 3:  Identify/describe Vulnerabilities
  • Phase 4:  Pair Threats and Vulnerabilities
  • Phase 5:  Determine the Impact of Threats occurrence
  • Phase 6:  In-place Countermeasures
  • Phase 7:  Determine residual Risk
  • Phase 8:  Identify additional Countermeasures

After accomplishing the entire task a “Risk Analysis Report” will be designed. This report helps admiration to analyse the level of security in their architecture. Risk analysis report include the following the entities

  • Vulnerability levels
  • Applicable Threats and their frequency
  • The use environment
  • System Connectivity
  • Data Sensitivity Level;
  • Residual risk, expressed on individual vulnerability basis
  • Detailed Annual Loss Expectancy calculations

Process of Information security Risk Assessment:

Information security risk management is a recurring process of identifying, assessing and prioritizing risks. Risk management is composed of major activities, i.e., risk assessment and risk control. Risk assessment is a crucial decision making strategy which traces out the information security assets that are exposed to threats. It also prioritizes the risk incidents, by calculating the quantitative or qualitative value of risks.

IT security risk assessment methods:

AHP and Fuzzy Comprehensive method are the most widely used methods for performing IT security risk assessment. 

AHP (Analytic Hierarchy Process):

AHP is one of the prime methodologies being used by the organization to enable effective decision making on prioritizing, ranking and evaluating alternative for ensuring information security. To do this, AHP combines both qualitative and quantitative factors; it also permits multiple actors, criteria and scenarios to be included in the analysis. To resolve complex group decision situations, AHP a flexible and effective tool. modeling, valuation, prioritization and synthesis are the four stages in AHP.

  • Step 1: Modelling: Structure a Hierarchy

In this stage, a hierarchy is build, which describes the problem. The final goal or mission is positioned at the top of the hierarchy and the main attributes, criteria and subcriteria are positioned in the following levels below.

  • Step 2: Valuation: Pair-wise comparison

In this stage, all the criteria pertaining goal will be compared and then compare each criteria with all the alternatives pertaining to such criteria. In the analysis, the criteria preferences are included as pairwise comparison matrices.

  • Step 3: Prioritization: Estimate the relative weights

Based on the eigenvalues of comparison matrix in the above stage, the local priorities are derived. Using the hierarchic composition principle, the global priorities are derived.

  • Step 4: Synthesis: Check the consistency

Synthesis of each alternative of global priorities is done in this stage, so as to acquire their total priorities.

Fuzzy Comprehensive method:

The fuzzy comprehensive evaluation is also called the fluffy synthesis decision making. The core competence of this method is to focus the weight set. Determining the weight can be done by using subjective method, objective method, i.e., through analytic hierarchy process, and comprehensive exponential method.

 The entropy weight strategy can build a quantifiable extension between the subjective and target routines, and speaks to a decent approach to focus weights. Subsequently, the extensive assessment technique for deciding the assessment grid and the entropy weight strategy for deciding the weights of indicators so as to fabricate the matrix structure of synthetic evaluation model will be utilized.

The following are the steps involved in executing fuzzy comprehensive evaluation method

  • Determine the element set and assessment set
  • Establish the fuzzy assessment matrix
  • Determine weight of every index layer utilizing the entropy weight techniqued)
  • Calculate the compound decision vector

Security Analysis tools:

Security analysis tools are expected to collect an extensive range of data types. Security investigation devices help identify breaches and gather information, yet it is essential to have a response plan before recognizing occurrences. Organizations would prefer not to make up their response plan as they are reacting to an occurrence. There is a lot of potential for slip, miscommunication and loss of confirmation to hazard an ad hoc reaction to a security breach.

Types of security analysis tools:

  • Scanners
  • Packet Sniffers
  • Content Filters
  • Trap and Trace Tools

Scanners: are tools that spontaneously examine networks for hosts and/or vulnerabilities

    • Port Scanners:  investigate the entire network so as to trace out all of the active computers, open ports, and services, e.g.: Foundstone’s SuperScan 4
    • Vulnerability Scanners: scans network for tracing out in-detail information, e.g.: Nmap, Nessus

Packet Sniffers:

    • Collects and analyzes copies of packets from a network that you want to sniff, e.g.: Ethereal

Content Filters:

    • Content filters allows system administrators to restrict content from unauthorized fields to enter the network, e.g.: NetNanny

Trap and Trace Tools:

    • Trap: Enticing an intruder/attacker into the network, e.g.: Honeypot
    • Trace: Effort to regulate the uniqueness of someone discovered in unapproved areas of the network, e.g. : Recourse Technologies’ ManHunt