What are cyber analytics?

Cyber analytics involve the use of algorithms, statistical analysis, behavioral analytics, machine learning, and other classes of analysis to solve cybersecurity problems in a way that traditional security controls cannot. Cyber analytics are often compared with indicators of compromise (IoCs), but are distinguished by the use of analysis to detect potential and unknown threats that signature-based IoCs miss.

What are the
main types of
cyber analytics?

Are there any issues
with cyber analytics?

How can you detect
ransomware with
cyber analytics?

What are some of
IronNet's cyber
analytics?
How can you integrate
cyber analytics?
We face cyber attacks every day. And Southern Company isn’t alone – attacks are occurring across critical infrastructure. While Southern Company maintains a mature cybersecurity posture, the role of its security leadership is to ensure that the company is always anticipating and planning for the next attempt to compromise its facilities and services. Southern Company invested in its partnership with IronNet to increase its ability to detect Advanced Persistent Threats (APTs), reduce dwell time, and more quickly recover in the event of an attack.
- Tom Wilson
VP and CISO at Southern Company

What is the history of cyber analytics?

Cybersecurity has always been a dance between attackers and defenders. In the beginning, defenders used rudimentary signatures such as file hashes and IP addresses to detect malicious activity. But as attackers learned these security controls, they adapted their methods to avoid known signatures in order to defy detection. 

Defenders responded by implementing more flexible techniques such as deep packet inspection and identifying binary sequences within files. Around the same time, cybersecurity controls started using more heuristics in detection and mitigation, giving defenders a better sense of whether detected activity was malicious. 

Cyber analytics use anomaly detection and other statistical techniques to identify deviations from past behavior. Powerful new technologies such as machine learning and deep learning boost detection and mitigation capabilities. These techniques enable a much broader array of malicious activity to be addressed and are harder for attackers to subvert. Advanced Network Detection and Response solutions leverage the power of cyber analytics to detect cyber threats to networks based on the threat behavior.

To learn more:

See how Southern Company uses cyber analytics
IronNet-Cyber Analytics-Dynamic detection thumbnail
Step up your detection game with behavioral analytics
IronNet’s IronDome and Collective Defense solution helps us as an MSSP and ultimately our clients do more with less. We are able to scale our SOC by having a very sophisticated tool that reduces false positives and identifies threats that otherwise may not have been picked up by traditional monitoring tools.
ARNO ROBBERTSE
CEO of ITC Secure

What are the main types

of cyber analytics?

IronNet-What are cyber analytics-Unsupervised anomaly@2x
Unsupervised anomaly detection

Anomaly detection is a variety of unsupervised machine learning that aims to identify deviations from past behavior. For organizations, anomalies come in many forms – there are frequent anomalies such as employees going on vacation, and large anomalies such as the COVID-19 pandemic where suddenly the entire workforce is working remotely. Tailoring anomaly detection models to a specific use case allows organizations to find only the anomalies that are relevant for cybersecurity.

Anomaly detection is particularly useful in endpoint and user behavioral analytics. Unsupervised learning algorithms model the normal behavior of endpoints and users, enabling identification of anomalous activity that is likely malicious. This is helpful in identifying unknown threats because the anomaly detection models are not reliant on known examples of attacks.

IronNet-What are cyber analytics-Supervised detection@2x
Supervised detection

Supervised modeling is another form of machine learning commonly used in cyber analytics. Whereas a traditional approach to cybersecurity might involve asking a cybersecurity expert for heuristics to identify threats, supervised detection systems use large datasets to learn threat features and characteristics in a principled mathematical approach, enabling organizations to better distinguish between benign and malicious activity. 

While a supervised modeling approach allows precise detections of specific types of cyber threats, it does require threat information to be available for model training and can be less effective in cases where threats are unknown. Supervised detection and unsupervised anomaly detection approaches therefore complement each other in forming complete detection coverage for an organization. 

IronNet-What are cyber analytics-Detection correlation@2x
Detection correlation

In security parlance, the detection outputs of both unsupervised and supervised models are referred to as spot detections. Spot detections provide information around a single unit of analysis, such as a specific authentication action or executable. Spot detections are useful for making predictions, but they don’t tell the whole story. Detection correlations, on the other hand, allow security experts to combine multiple spot detections to form the complete picture of an attack across an enterprise.

Consider this example: if you’re just analyzing an individual firewall rule, you might think a certain activity was blocked for benign reasons. But with correlation analysis, you can see there was a sequence of related activities that started with an anomalous authentication, followed by the transfer of a file to a remote machine and then the execution of a malicious file. Here, the ability to detect a correlation exposes malicious activity you may have otherwise missed. 

Collective Defense is a collaborative approach to cybersecurity that extends correlation detection beyond the enterprise. Organizations that participate in a collective defense system can see attack trends or sequences of events across their industry, enabling a more proactive defense. By analyzing common techniques based on real-world observations, as mapped within the MITRE ATT&CKⓇ Framework, you can start to assess where you need to shore up your defenses.

Are there any issues with
cyber analytics?

The field of cyber analytics teems with buzzwords and misconceptions. One common misconception is that the complexity of a model determines its effectiveness. This simply isn’t true. What’s true is that model complexity can hide both the interpretability and accuracy of results. As such, it’s important to understand the appropriate application of different modeling approaches and the right application of those techniques to any given problem.

When analyzing network traffic, you can have accurate and effective models but it’s all predicated on visibility. In other words, you can’t determine if an executable is malicious if you can’t see it. Advances in things like attacker techniques and in-memory processing make it harder to spot malicious files. Similarly, with endpoint detection, hackers can use executables that are already on a device and otherwise would be benign but use them to do something malicious. This illustrates the need to deploy cyber analytics across the cloud, network, and endpoints.

To learn more:

“Signature-based cybersecurity solutions are unlikely to deliver the requisite performance to detect new attack vectors. In fact, our data shows that 61% of organizations acknowledge that they will not be able to identify critical threats without AI.”

How can you detect ransomware with cyber analytics?

IronNet’s behavioral analytics are designed to detect these behavior indicators in advance of the ransom. Slide the image below to see how IronNet analytics detect ransomware attack behaviors before the ransom stage.

IronNet-Ransomware-Arrow Down
IronNet Ransomware Landing Page – With IronNet@2x IronNet Ransomware Landing Page – Without IronNet@2x

What are some of IronNet's cyber analytics?

IronDefense is a Network Detection and Response platform that improves visibility across the threat landscape and amplifies detection efficacy within your network environment, allowing your SOC team to be more efficient and effective with existing cyber defense tools, resources, and analyst capacity. The solution uses advanced network behavioral analysis that leverages proven artificial intelligence and machine learning to defend highly secure networks, allowing the ability to scale up analysis to the largest enterprises.
IronNet-IronDefense-Hero Desktop-Mobile

How IronNet behavioral analytics detected SolarWinds/SUNBURST TTPs

Alert correlation within a single enterprise as a principled method reduces false positives while maintaining high recall, and IronNet's IronDefense takes this approach. Truly novel attack vectors, however, require additional measures to create a fuller picture of the threat landscape at any given time. See how IronNet behavioral analytics detected the attacker activity behind the SolarWinds attack.

IronNet-Cyber Analytics-Behavior Analytics Infographic

With a Collective Defense approach, correlation across SOC analyst teams in an IronNet Collective Defense community drives home the difference between crying wolf and an urgent and real need to batten the hatches against the real wolves lurking the network.

How can you integrate cyber analytics?

Because cyber analytics require data to detect threats, it’s important for solutions to integrate with other cybersecurity products. IronNet's cyber analytics integrate well with SIEM and SOAR systems within your Network Detection and Response (NDR) security stack.
IronNet-What are cyber analytics-SIEM Integration
Integration with your SIEM

Integrating with security information and event management (SIEM) systems gives cyber analytics products context into threat information, events and alerts, painting a more complete picture of enterprise threats.

IronNet-What are cyber analytics-SOAR integration
Integration with your SOAR

Integrating with cyber analytics products gives security orchestration, automation, and response (SOAR) systems better information for remediation actions.

IronNet-Partners-Accelerated NDR Thumbnail

To learn more:

Accelerating threat detections
with behavioral analytics