As Threat Actors have become more sophisticated and developed better evasion techniques, Auditing/Monitoring has become a huge and complex topic area. So, we break this operational need out into more specific capability areas, each discussed in a separate article:
Of course, simply collecting and aggregating huge volumes of monitoring data, streaming in from sensors, is no guarantee that the Security Operations team will be able to actually detect malicious activity in the environment. Finding the proverbially “needle in a haystack” is tough enough, even without adversaries skillfully covering their tracks or possibly leaving intentionally deceptive evidence behind to misguide your forensics. This is where a range of Detection Analytics capabilities needs to be considered.
The simplest forms of capability in this category are basic tools like vulnerability auditing or security information & event management (SIEM). While not strictly “analytics” capabilities, these are the fundamental building blocks of “detection” required to minimally demonstrate "due diligence" and comply with most policies and regulations.
Building on these capabilities, more advanced security analytics capabilities have been evolving for at least a few decades – starting with simple tools like log analyzers, evolving through generations of “signature-based” anti-virus/anti-malware and intrusion detection systems (IDS), and arriving at moderately advanced statistical analytics and "anomaly-based" detection performed on the centralized “big data” collections described in an earlier article.
[sidebar] A good repository of examples for such detection analytics is MITRE's "Cyber Analytics Repository". The "CAR" is a very practical, continuously evolving knowledgebase of analytics based on MITRE's "ATT&CK" adversary model, and Lockheed Martin's Cyber Kill Chain®.