Information Security Analytics from Syngress

Information Security Analytics from Syngress

Finding security insights, patterns and anomalies in big data

Information Security Analytics: Finding Security Insights, Patterns, and Anomalies in Big Data by Mark Ryan M. Talabis, Robert McPherson, Inez Miyamoto and Jason L. Martin
This book provides insights into the practice of analytics and, more importantly, how readers can utilize analytic techniques to identify trends and outliers that may not be possible to identify using traditional security analysis techniques. It contains information on open-source analytics and statistical packages, tools, and applications, as well as step-by-step guidance on how to use analytics tools and how they map to the techniques and scenarios provided. Readers learn how to design and utilize simulations for "what-if" scenarios to simulate security events and processes, and how to utilize big data techniques to assist in incident response and intrusion analysis. Written by security practitioners, forsecurity practitioners, the book includes real-world case studies and scenarios for each analytics technique.

The book contains 183 pages of which 160 are text (not counting foreword, index etc.). A significant amount of the text is examples and listings of code and results. This means this book is actually not all that big. At first this might feel al bit disappointing, after all what did I just spend my money on? This feeling will quickly disappear when you start reading the book. What makes this book so useful is the guided examples and exercises. These take the theory and make things tangible. A book with just theory on security analysis techniques for big data would be useful but with the addition of these case studies and examples the reader will be able to put the theory into practice with little effort.

It is also clear that the reader is meant to be using the book and exercises in an active role, just reading the book will be a waste of the author’s effort to create all these examples. The reader who uses his computer while reading the book and doing all the exercises will spend a large amount of time but it will be worth the effort.

Each chapter begins with a small section detailing the information revealed in that chapter. Most chapters als contain a section with references and tips to expand on the topic of that chapter. This makes this book such a great starting point for people with little knowledge on the subject.

The book consists of 7 chapters.

Chapter 1 contains the mandatory definitions and concepts needed to understand the content of the rest of the book. Many of the techniques used in the book are also used in machine learning. This creates some synergy between this book and some well known online courses that deal with this subject. One of the most important pieces of information in this chapter is the security analytics process that details the steps going from data -> analysis -> security intelligence -> response.

Chapter 2 deals with the tools needed for analyzing data. The most important tools discussed are Hadoop (distributed file system) and MapReduce (data aggregation for Hadoop). The R programming language will be used to perform statistical calculations. For simulations the author makes use of the Arena software product.

Chapter 3 is 42 pages (25% of the total text) and handles analytics and incident response. This is clearly the main focus of the book. The topics explained in this chapter explain how to look for a series of known attack patterns such as SQLi and XSS but also how to look for other anomalies in data such as ratio of failed to successful requests as a time series.

Chapter 4 is quite short in theory (3 pages) but contains an extensive case study on the topic of simulations. A simulation starts out as a model to which parameters are added. The simulation software uses these to return some data, this data needs to be analyzed in order to formulate conclusions. The author shows a use case in which different anti-virus gateway offerings are simulated.

Chapter 5 is dedicated to access analytics. Remote access is widely used and it is important that an organization can quickly discover misuse of access. This chapter uses VPN remote access as the example and makes use of Python scripts to analyze the data.

Chapter 6 explains when and how we can make use of text mining specifically related to security. This technique is used on large amounts of relatively unstructured data such as email, wikis etc.

Chapter 7 contains some information on security intelligence and what the future might hold for security analytics.

Note: the lay out of the book shows a lot of white space at the edge of each page. Even though this gives some room to scribble down notes I personally prefer to have a little less whitespace at the edge of the page.

Steven Wierckx