Hacking Book | Free Online Hacking Learning


sans: 2014 safety analysis and safety intelligence research report

Posted by truschel at 2020-04-08

In October 2014, followed by the log management survey 2014, sans released the security analysis and intelligence survey 2014.

As I mentioned in my previous blog, sans believes that security analysis and log management are gradually separated. The current mainstream Siem / security management platform manufacturers focus more on security analysis and security intelligence to realize the so-called next generation Siem / security management platform. Security analysis and security intelligence are more closely related to BDA (big data analysis).

Sans adopts Gartner's definition of security intelligence. The earliest definition of security intelligence comes from Gartner's fellow, Joseph Feynman (2010 report, "preparing for the rise of enterprise security intelligence"). This is clearly pointed out in the log analysis and investigation report of 2013.

This year, sans gave a definition of security Analytics (or security data analysis):

The discovery (through various analysis techniques) and communication (such as through visualization) of meaningful patterns or intelligence in data.

Sans also traces back to the origin of safety analysis, which was officially launched as early as 1986. From the earliest IDS, to the later Siem, to the present security intelligence, a development timeline of security analysis has been formed.

As for security intelligence, sans made a footnote that security intelligence is not automatic machine intelligence, but also requires the participation of trained security analysts. Well, as I've repeatedly said before

In the report, sans also defines Threat Intelligence as the set of data collected, assessed and applied monitoring security threads, malicious actors, exploits, malware, vulnerability and complexity indicators

[Note: both security intelligence and security / Threat Intelligence have the same English intelligence, but the meaning is different. I've discriminated it on my blog before, and I'll sort it out for you later. ]

Sans surveyed 350 IT professionals. The report shows that [I have excerpted my concerns, not all of them, please forgive me]:

1) 47% of users still invest in Siem, and obtain the ability of security analysis through the enhanced Siem;

2) 27% of users applied internal Threat Intelligence Association to Siem;

3) 61% of users think big data will play an essential role in security analysis (36% think big data plays a key role, 25% think big data is necessary, but not the most critical);

4) 47% of users think that their intelligence and analysis practice has been preliminarily automated;

Sans conducted a number of targeted surveys. Among them, "barriers to detection and response" are the first to suffer from the lack of visibility into applications, as well as supporting systems and vulnerabilities (39.1%); the second is that it is difficult to understand and identify normal behaviors, resulting in the inability to identify abnormal behaviors; the third is the lack of trained people; the fourth is that it is not known what is the key to be collected Information, and how to relate it. [think about it, it's almost the same in China, and it should be more serious]

When asked about "what system generated logs do security analysts mainly look at", 57% of them chose alarms generated by traditional border defense equipment (FW / IDP); 42% chose alarms generated by terminal monitoring system (such as anti-virus). In addition, 37% chose "Siem automatic alarm", and 32% chose to analyze the event through Siem / LM and generate alarm manually. Sans believes that the investigation results show that the next generation Siem has the ability of automatic analysis and intelligent alarm.

When asked about "what detection technologies need to interact with to achieve security intelligence", almost all detection technologies are involved, which confirms the universality of technology interaction of security intelligence. At present, the main interaction (docking) is FW / UTM / IDP, vulnerability management, host based malicious code analysis (terminal anti-virus), Siem, LM. In the future, the planned interaction is mainly based on network malicious code analysis (sandbox), NAC, user behavior monitoring

When asked about "satisfaction with the current security analysis capability", the most satisfied is the performance and response time of the analysis, and the least satisfied is the visibility of the security analysis. The training and shortage of analysts rank the third most dissatisfied.

When asked what is the most valuable role of application security analysis, the first choice is to find unknown threats, the second choice is to detect internal threats, and the third choice is to reduce false positives.

When asked about "future investment in safety analysis / intelligence", 67% of respondents chose training / personnel, followed by accident response ability and Siem (47%). In addition, more than 20% of people choose network package based analysis, user behavior monitoring, intelligence, big data analysis engines


Sans: 2014 log management survey report

Sans: 2013 safety analysis survey report