Field of the Invention
The present invention relates in general to the field of information security, and more particularly to an automated security analytics platform.
Description of the Related Art
Information technology has made businesses, government and individuals more efficient. Mobile networking allows end users to interact with work, government and home resources from almost anywhere and at almost any time. To support networking resources, business and government enterprises often employ information technology (IT) specialists who maintain the networking resources and protect the networking resources and enterprise information from unauthorized access. IT specialists employ a variety of tools to maintain network security, such as firewalls, intrusion prevention, anti-virus applications, spam sorting applications, phishing protection applications, identity management, security event management, etc. . . . Unfortunately, conventional network security tools have weaknesses and vulnerabilities that cyber criminals attack and penetrate to access sensitive information.
IT specialists attempt to protect network assets from attacks with conventional network security tools and by monitoring network activity to detect and counteract attacks. For example, IT specialists collect network telemetry information, such as events, flows, logs, user authorizations and authentications. The network telemetry is stored in a database using conventional database servers that communicate with networking resources. The network telemetry is then retrieved and analyzed to identify unauthorized network accesses and access attempts. Often, network telemetry represents a substantial amount of data that the IT specialists sort and process to identify potential security threats. The gathering and analyzing of historical network telemetry to identify security threats enhances conventional security measures, however, the process takes time and all too often provides information about network security threats only after a security breach has occurred.
Cyber criminals have many advantages in their malicious work against IT security measures. Cyber criminals mount multi-stage attacks to pursue financial assets, intellectual property, network telemetry control and government/trade secrets. Rule-based security measures can only react to known threats that implicate a rule. Anomaly detection systems help detect new types of attacks, however, also consume large amounts of data for analysis over lengthy time periods. Thus, anomaly detection systems have a delayed response based upon the inherent performance limitations of relational databases to process network information with various known analytics. Policy-based devices, such as firewalls and identity products, suffer from bit-rot and configuration errors that leave vulnerabilities waiting for an attacker. Cyber criminals working against conventional network security tools have IT specialists outnumbered and outgunned. Cyber criminals patiently tap social media or phishing information with sophisticated tools that enable protracted entry and exfiltration techniques. If IT specialists or enterprise employees make a misstep, leave a door ajar or unknowingly provide a copy of the network house keys, cyber criminals will eventually find access to network resources.