Accelerating Mean-Time-To-Know With Security Analytics

There are few cybersecurity KPIs more important than mean-time-to-know (MTTK) and mean-time-to-respond (MTTR). Threat Stack provides alerts to cybersecurity professionals that can make an enormous difference in a company’s ability to drive these metrics down. As attackers and malware become more sophisticated, security teams must consistently improve their MTTK and MTTR to stay ahead. To do this, it’s critical to quickly grasp if anomalies and risky behaviors represent significant threats, where they are occurring within the environment, and in what context, in order to take appropriate action rapidly.

However, this type of critical context is often siloed within complex reporting tools and separate applications that are disconnected from the day-to-day workflows of security analysts. This creates enormous friction and leads to a reactive, as opposed to proactive, use of analytics, which slows down security teams and hinders their ability to efficiently triage and remediation risk. 

Threat Stack consistently strives to reduce MTTK and MTTR for security organizations. New capabilities such as ThreatML and EC2 context enrichment bring relevant context directly into an organization’s risk assessment, triage, and remediation workflows. This enables them to quickly determine the severity of issues and how to prioritize and respond to them. And today, we’ve further enhanced the Threat Stack Cloud Security Platform® by adding security analytics, providing even more contextual insights. 

Security Analytics

Security analytics is a new capability that further enhances the Threat Stack Cloud Security and Compliance platform by providing deeper insights and context into risk within your cloud workloads. 

Threat Stack’s security analytics surfaces valuable security insights and visualizes them in an easy-to-consume user interface. With this information, security teams can proactively identify risk trends, improve rule creation and alert tuning, and effectively troubleshoot and remediate risk in real-time across their cloud infrastructure and applications. Threat Stack’ security analytics remove the need for security analysts to branch off into separate workflows, applications, and/or data silos by placing modern analytics at their fingertips, directly within the Threat Stack UI.

Specifically, security analytics analyzes critical aspects of cloud workloads, including:

• User behavior and patterns
• Unique system services and network communications patterns
• Unique cloud identities along with respective types and patterns of access
• Unexpected file actions
• Unpatched servers that could produce severe vulnerabilities

Choose an Approach that Matches your Role

Different roles will want to pose various questions to the data, and security analytics will enable them to do just that. For example, security leaders need a strategic, top-down view, so they will look to security analytics for a holistic view of their security posture and drill down or filter the data to specific areas of concern and then go into the associated events for the details. 

On the other hand, security analysts will typically start from the bottom up, with more tactical questions to address through the data. Therefore, they’re more likely to begin within the event and then pivot into security analytics for the larger view to verify the baseline of specific behaviors and determine its actual level of risk and broader impact to the business.

Whatever the role, security analytics provides meaningful context that enables security teams to shave crucial minutes off the time between an alert showing up and determining whether it represents a severe threat that deserves further attention. I think I speak for everyone in the security industry that the less time attackers, malware, and other threats have to infiltrate our cloud environments, the better.