The Limitations of Using Logs for Behavioral Analytics

Logging

Threat detection hasn’t kept up with the change of pace that is occurring across today’s organizations. Security protections are strained and threats have evolved to take advantage of blind spots circumventing immediate detection. We’ll see more malware learn behaviors and conditions and then take evasive actions to avoid having their activities exposed. Unfortunately, traditional security logging can only provide a snapshot from the sidelines. Logs record actions and events. There are limitations of only using logs for behavioral analytics. In order to really understand the behavior of users and systems requires context, perspective, and risk analysis.

Sophisticated SIEM solutions centralize and correlate logs with the intent to uncover security events. Some have acquired or partnered with behavioral analytics vendors to create specific analytic modules or solutions. These solutions have had varied business success, as the escalating costs of implementing them and managing them are options only for very large organizations. There are common factors that increase cost and management overhead, and even with the best analysis, results are highly dependent upon obtaining quality data.

 

The ability to achieve a premium level of security visibility is hindered by these factors:

  • Limited Focus: Logs are specific to each device and networking component across an organization (network, firewall, endpoint or server, cloud and applications). For  comprehensive coverage log data must be collected across all touch point that users and systems connect and interact with.
  • Limited Details: Log configuration and verbosity settings determine the level detail that the logs will capture. Diverse infrastructure and zones of responsibility make the coordination and consistency of logging difficult to track.  
  • Limited Capacity: Log events per second and storage capacity planning is necessary to accommodate rich data sets. With more organizations using SIEM as a service, or cloud storage, trade-offs are being made due to cost of data transfer or cost of data throughput for security logs.
  • Limited Timeline: Log data accessibility and retention contribute the the effectiveness of behavioral analytics.  How fast can the log data management system provide updates and log retention settings narrow the window of visibility. Historical reviews are often difficult to access.
  • Limited Context: Logs are a snapshot of what occurred. In order to build context, additional data or analysis is required. Many systems augment log data with data sets on user roles, responsibilities, and classification for critical systems. Data science pieces together the activities based on models to help understand behavior based on the data at hand. The results are dependent on having everything up to date.

Behavioral analytics have a great potential to change how security teams gain visibility to threats, and risks across their organization. Behavioral analytic vendors leverage existing security technology or security logs to drive their solution. This dependency means they are only applicable to organizations who have significantly invested in SIEM technology and have advanced log management.

Change Dynamix is different; we don’t rely on security logs to provide behavioral analytics. We want to help organizations of all sizes to reach premium security within their budget. Log management is not security. Its effectiveness is dwindling. Security teams must quickly determine threats, so they can take decisive action. The work it takes to manage security solutions leads security efficiency.

By capturing the untapped signals of user and entity behaviors, we have direct access to the context-rich data source for every touch-point and activity. This provides objective views for user-specific work flows and system-specific views spanning server and application delivery chains. Our approach supports dynamic business with built-in coverage able to extend across diverse infrastructure, networks, and cloud services.

 

To learn more download our Quick Guide to Understanding Behavioral Analytics.  

 

Share:Tweet about this on TwitterShare on LinkedIn