There are a few ways on how you can use security analytics to automatically find new attacks:
Use Security Analytics to Find New Attacks
Flag Unusual Network Behaviors
Security Analytics can automatically flag unusual network behaviors that might represent an attack such as a large number of users accessing the network from a single IP address or multiple users accessing the network with different IP addresses but the same username. These are unusual behaviors for most users and so they will be flagged as potential incidents.
Security analytics also detect other unusual activities such as a user accessing the same file from different locations, or scanning internal hosts from external IP addresses, or unusual access patterns to certain files or folders that can indicate an attack.
Monitor Configuration Checks
Security analytics also allows you to monitor configuration checks for specific systems and detect any configuration changes. Perhaps that might have been made by an attacker after compromising a system.
For example, if an attacker gains access. Such as, to a Linux server and change the SSH configuration file to give themselves access. Then security analytics will automatically detect this change because it is an unexpected change in configuration that was not done by the system administrator.
Monitor Process Activities and Detect Changes
Security analytics can also be useful to monitor process activities and detect any changes in normal processes that might indicate an attack has occurred. For example, if a malware process is on a system after it starts; then it would flag this change because it is an unexpected activity for a system process.
Monitor User Activity
It can also be useful to monitor user activity on the network and flag any user accounts. Perhaps that have been created out of the blue; or users that have logged into servers they had never logged into before which could indicate an intruder trying to get around your defenses by using legitimate credentials without having first stolen them – also the ‘impersonation’ attacks.
Look up in any Changes in Firewall Rules
Security analytics can be useful to look at any changes in firewall rules; or other security controls that might have been made. For instance, by an attacker after they compromise your systems. So you can automate the detection of what kind of people are attacking your organization. Such as, how they are doing it, where they came from (geographically), and what kind of attacks they are using.
Look up in any Changes in Host Registration
It can also be used to look at any changes in host registration on your network (e.g. DNS, DHCP, Network Access Control) and detect any unauthorized changes that might have been made by an attacker after they compromised a network host.
For example, if an attacker added a secondary domain name server to the configuration of a system after they compromised it, then it will detect this change because it is an unexpected change in configuration that was not done by the system administrator.
Security Analytics for Security Operations
In summary, Security analytics helps you automatically detect new attacks and intrusions by flagging any unusual activities on your network.
Security analytics for operations is a method of automating the data analysis process used by security analysts to detect intrusions and other threats to their network. In addition, security analytics for security operations performs the same detection tasks as a human analyst with the exception that it can do these tasks in a fraction of the time, saving your organization both time and money.
