Securonix Security Analytics Benefits

Greg Stewart
Director of Intellectual Property Protection at a pharma/biotech company with 1,001-5,000 employees
In terms of detecting cyber and insider threats, my primary focus is insider threats. It's excellent at that. The ability for the system to detect events is incumbent upon knowing your own threats and risks and predefining those, to a large extent. If you know your environment well enough to make up your own rules and define exactly what a risk or threat means in your organization, it's outstanding at detecting them. While my primary focus is insider threats, one of the reasons we like SNYPR more than other brands is the entity analysis piece. We have picked up unnamed entities - an infected machine or a machine that had been taken over through a fishing attempt and had a bot installed on it. We have been able to detect malicious software with the system without even predefining the threat or risk model. When it comes to the solution's behavior analytics helping to prioritize advanced threats, as long as you can pre-define what you want it to prioritize, I find it to be excellent at doing that. We have a very small team. It's very important for me to have the Securonix system highlight the most critical threats so that the analyst can see it. We have two models. There are the people who are reacting to something negative in the company, such as someone sending a lot of things to a USB drive or trying to email out a lot of sensitive documents. Those people are easy to catch because their behavior is anomalous to themselves and to others. But for the advanced threats, we have different models in place that will highlight what we call "low and slow" behavior, where someone might be placed in the organization by a competitor or a foreign country, with the intention of removing small amounts of data over a long period of time. We have successfully built models that detect that, as well. Any system can catch the people who are going to "break the window" and steal as much data as they can in 24 hours. It's the advanced threat that's much more intricate, but we have had success with that model. The solution benefits our company overall in the sense that we are protecting intellectual property which is the key to the company's success. But there has been a direct benefit to my team as a force-multiplier. At any given time, I have three or four analysts and we have 120,000 end-users. I feel confident in the increase in the value of cases we have found. We bring in fewer cases per year, overall, and that's attributable to the ability to tune Securonix and drop things that might be more of a "coaching-letter" type of event, rather than an investigation. We're able to tune those so that they are less of a priority than the significant data-loss events. We've been successful at catching the data-loss events. And the functionality within the Spotter tool has helped us eliminate many hours required to create link analysis diagrams, which we used to create by hand. It has easily decreased the time required to investigate alerts by 30 to 35 percent. The Spotter functionality, where we create link analysis diagrams within Securonix, takes about five seconds to do. We type in the pipe symbol, the word "link," and a couple of arguments and it puts the link analysis diagram right in front of us. Before, it was a manual download from three different systems and we would put things into Excel or i2 Analyst's Notebook and do the link analysis diagram that way. That single step alone is something we do for every single case which an analyst writes up, and it easily represents 30 to 35 percent of their time. The solution has also helped us to detect threats that would otherwise have gone unnoticed. In the past, when we were using just a SIEM tool, we had reports on things like the top-ten people each day sending email to a competitor's domain, or top-ten people emailing to a personal domain, or the top-ten people copying data to a USB. We looked at six of these lists every day. When we first started using Securonix, they came to us with an event that their system had detected, something which was a fairly significant event. When I went back and looked at why we hadn't caught it ourselves first, what had happened was that Securonix was able to accurately able to identify, with its pattern-matching functionality, two personal email addresses from this person and correlate that with USB use and their sending of emails to a competitor's domain. Out of the four domains, none was high enough to get on the top-10 lists, but all four together - when they were correlated together as a single event - were very significant. That enabled an analyst to see it and react to it. Securonix has helped to surface high-risk events that require immediate action. The preceding example is a good one. Another good example is correlating events with foreign travel, for instance. One of the things we have programmed in is HR data around a known last-day-worked. We've been able to correlate people whose last day at work was within 48 or 96 hours of having foreign travel booked. Those things, by themselves, don't really mean anything, but as part of a model they add to the score of someone who has data leakage events. We've used those factors successfully to increase the score of someone with leakage events and prioritize them so that we can react before the person has left the company and the country. We moved to their software as a service and cut over to production, officially, in January of this year (about five months ago). It has significantly reduced the amount of time spent by the technical lead on my team doing hands-on patching, maintenance, and troubleshooting on the host server, as well as fixing the server when there were application incompatibility issues. The previous version we had sat on a standard, company Linux server. Securonix was an application package, a COTS, for the most part, that sat on top of a standard-built server. The server represented a cost to us when purchasing it and there was a cost to maintain it. Moving it to the software as a service model in the cloud has completely cut out all of that. It's a less expensive model for us to operate under. The Hadoop-based platform has also provided operational benefits. With the on-premise version that we had before, we were limited in the number of data inputs. As soon as we moved it to their Hadoop-based platform, it became unlimited. It's scalable to whatever size we need. We were able to quickly add six data sources to the system, which were impossible to add before. View full review »
IT Project Manager at a manufacturing company with 10,001+ employees
We've seen a couple of circumstances where people accessed data, especially in our internal application, and we weren't sure how they did it, because they shouldn't have been authorized to access it. We actually found a backdoor on our side. Their access did not go through that backdoor intentionally, but they did find a backdoor way to get the data. We shut that one down as soon as we found it. The other thing we do, where it's been a big help, is that we people who, from a process standpoint, bring down a ton more data than they should. They aren't doing something malicious, but there are ways to bring down simplified data subsets. We've been able to educate the users to take down simplified sets. In essence, that saves them time and effort in having to bring all that data down and then call it up and use it. It's really tough to put hard numbers on that but we have certainly seen a reduction in the amount of these high-volume downloads and it's really been because of a process change on the part of the users. View full review »
Chief Technology Officer at a tech vendor with 51-200 employees
The solution's behavior analytics, in terms of detecting cyber and insider threats, are very effective. We are getting actionable results. When I say actionable results, not every finding is going to be a threat, but every finding is worth investigation. Depending on the investigation, some of them are real threats, some are just bad hygiene, and some are a good finding but not a threat for us. So there is work we still need to do. But whatever they are pointing us to is worth investigating. And that is what I expect from the product. The solution's behavior analytics help to prioritize advanced threats. That's exactly what I mean by "actionable threats." One of the key pain points for us, previously, was that the solution we were using was giving us a lot of low-value indicators which we couldn't even act on. With this solution we have fewer alerts but they're actionable alerts. From there on, it is on our analyst to then decide which ones are threats. And based on that, what we have done with a few things. In some cases we have changed our security policies so that we can have more rules in place to give us stronger access control and better governance around our workstation usage policy. There were certain things we could do to improve our employee behavior and it enabled us to take those steps. Based on some of the cyber-related threats it identified, we were able to upgrade the software we were using for our endpoints so that we had the strongest possible defense. There are certain things that are real threats and certain things that are bad hygiene and in both cases it's still valuable for us to take action. Moving from on-prem to cloud, our analyst's time and effort have been reduced by half. I had to have two people working on the product before we got Securonix. We are a small company so we had two people dedicated: One was creating use cases, maintaining the application; the other was the analyst who was investigating. When we moved to the cloud, the operations part was taken care of by Securonix. They manage the use cases, they manage the upgrades. Now I don't need to have a dedicated person to do that. And my analyst gets higher-value threats to investigate. In summary: First, I have been able to reduce my overhead by half. And second, my analyst is a lot more efficient and the noise in my environment is reduced by at least 70 percent. I was getting seven times more alerts to look at to get to the same results. Now my analyst can go deeper, versus having to rule out seven other things which are not useful. Also, there were a couple of instances of insider threats where we had employee accounts compromised through phishing. Someone got an email from an email address that looked like a valid email address but it was not. It had the first name and last name correct, but the company name was misspelled. The employee clicked on it and his account was compromised. That compromised account was then used to access intellectual property in our environment. Securonix was able to detect that threat. If that data had been leaked, that would have been millions of dollars in losses for us because everything we do is our intellectual property. Securonix, with its behavior analytics, was able to detect that this account was behaving differently, that it was trying to scan all our shared folders and access a lot of documents in a very short period of time. They were all source code files and the employee whose account was compromised was not even a developer. That was one of the biggest threats it detected. The other thing it is very good at identifying is that now, with everything in the cloud, there are no firewalls involved. People can, through social engineering, find out what your email address is and then try to guess your password and access your cloud environment. We see a lot of these brute-force types of activities in the cloud, and Securonix is able to detect a lot of those threats as well. We have some automation in place where we can block or challenge the user with additional credentials. We were able to put that in place as well, as a preventative measure, to stop our cloud environment from being compromised. That's is a big area of concern for us. In terms of operational overhead, one of the benefits is configuration. With our previous product, the issue was that we had to figure out the use case. It was "do-it-yourself." But Securonix is providing us with packaged "apps" for insider threats or cyber threats. So now I don't have to create my own content. In addition, when we were doing this on-prem, we had to have hardware, to worry about patching the hardware. Then we had to worry about patching the operating system. Then we had to worry about patching the Securonix application. All of that, maintaining compliance, was a full-time job. Now, with SaaS, we don't need to do any of that. Securonix maintains it. The third advantage is availability. With on-prem, if you have a network issue, you tend to lose the data for that period of time. With the cloud solution, we have SLAs with Securonix for 99.9 percent uptime. That means I don't have to worry about an outage in the data center or a loss of data. I can hold the vendor accountable for that. So another overhead that I don't need to worry about is disaster-recovery planning for my implementation internally. That is something that the vendor takes care of and I can just focus on monitoring the SLAs that I have with them. View full review »
Learn what your peers think about Securonix Security Analytics. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
438,944 professionals have used our research since 2012.
Edward Ruprecht
Lead Cyber Security Engineer at a insurance company with 1,001-5,000 employees
The areas where behavior analytics helps in terms of advanced threats are around some of the rarity-based policies. An example would be if someone is logging in to a machine for the first time, someone who has never logged in to that machine before. Another would be a rare time of day when somebody is logging in. Policies such as rare suspicious-process also help. We have a list of processes that we typically don't expect many users to run, so if somebody's running one of them in the environment for the first time, it helps us understand that something potentially malicious or at least suspicious is taking place. We had a recent internal penetration test to try to simulate attacker activity, and Securonix really stood out regarding some of its detection capabilities versus our traditional SIEM, with a lot of the policies that we have for rare-process running on a machine. The enumeration-type activities, where it's looking for an increase in the number of, say, accounts that are accessed, or the number of machines or file share that are accessed, was something that stood out significantly for us. An example where the solution detected a threat that would otherwise have gone unnoticed recently was a Word document that launched PowerShell and tried downloading a malicious file. We have a policy which is looking for a rare process launched from a child process, and that detected a specific type of malware. Also, given that the solution is offered as a cloud platform, it probably reduced the potential need for additional headcount. Had we gone with an on-premise solution - because it would have a lot of the administrative tasks of maintaining the hardware and doing updates, and some operational costs - we probably would have required an additional headcount. By going with the cloud, it didn't require us to add to our headcount, and yet we were able to add this new technology. The solution has also enabled our team to focus on threats rather than on engineering of the platform. We're a very hands-on organization. We've done some of the engineering, whether it be to create new policies specific to our environment or specific to a threat that we're looking for. So it has helped us to focus on threats, but we also do a decent amount of engineering. Securonix has decreased the time required to investigate alerts or threats. A lot of the information is right there for us, so it's easy to search and try to help with an investigation. In terms of how much time it has saved us, it's really a case-by-case scenario. It would be difficult to pinpoint an exact time on it. As for the solution surfacing high-risk events that require immediate action, Securonix correlates different policy-violations together into what it calls threat models. There have been a few examples of threat models that have been triggered which gave us a high degree of confidence that there's a threat that we want to investigate right away. Using the threat models has really helped prioritize events of interest for us. View full review »
Amit Chopra
CEO/Executive Director at Iconic Engines
One example of how it has helped our organization is with people who are exiting. We had a lot of issues when people were leaving the organization regarding what documents they were taking and what systems they had access to before they left. There were concerns about whether they did any sabotage or created any backdoors before they left. One of the very big areas of help from the solution is its exit report. Before a user leaves, it provides us with a 90-day report on that user; everything that user has done, what his behavior looked like, what systems he accessed, what data he took out. It gives us a complete picture and we are now able to provide that to HR. Our security team is also able to look at it, and it helps us in making sure that, before anybody leaves our organization, we have taken all the preventative measures and have made sure they're not taking any data. That has been a very crucial use case. The cloud has been a tremendous advance as well. We had no visibility into our cloud. Something that we never had with our traditional SIEM or any of our previous backbones was visibility into what people were uploading on our SharePoint, what people were accessing on our Azure. Cloud has definitely helped us with a lot of visibility and we are getting some good results. We hope they will get even better. View full review »
Adam Fousek
VP Engineering at a financial services firm with 501-1,000 employees
The benefit we've seen is in reducing the number of alerts from stuff that we can tune out easily. Previously, in the solution we used, there wasn't that flexibility, so we received a lot of alerts that we knew were false positives that we easily just dismissed. But it took somebody's time to look at all of those and mark them as false positives. With Securonix the alerts are easier to tune. We can exclude certain log source types. That option wasn't available in solutions we've seen in the past. The ability to tune out stuff that we don't want to see allows the team focus on real events. That's been the biggest benefit. One example of detection of a threat would otherwise have gone unnoticed is that they have an alert for randomly generated domains. It's using our web gateway information to look at domains that our users are going to. It has the ability to look at randomly generated domains and investigate what those are and if anyone actually submitted anything to them. Phishing domains are very popular and we have seen users clicking on phishing emails and going to randomly generated domains that are spoofing login sites. Those are things that we found that we hadn't seen in the past. The way that a Securonix is able to put a lot of the contextual information into the events is very helpful. That has reduced the amount of time required for investigating, "Hey, this might be something I need to look at," and then doing further research. It puts all of those violations in one event or case, so that you can look at different types of violations that all correlate. That has reduced the amount of time for researching some of those cases. It's dependent upon the scenario, but in some cases it could save an hour of going out and doing a bunch of individual searches. View full review »
Leader - Investigations, Insider Threat at a tech services company with 5,001-10,000 employees
The behavior analytics of Securonix has helped to prioritize advanced threats for us. We're still working through it, but it has helped. For example, it enables us to customize widgets, risk scores, and dashboards to identify what we want to see and gives us the ability to base the risk score on our business model and what we consider to be a high priority. While we would have detected the threats that we do without the solution, it helps us have a central point to manage and detect those threats. It would have taken a little bit more work or additional tools to identify them after the fact. For example, it helps us in identifying and detecting fraud in the early stages. The solution has decreased the time required to investigate alerts and threats because a lot of the data is in one console. We're not having to go to three or four different consoles. It also helps to surface high-risk events that require immediate action, such as identification of penetration testing. View full review »
SVP Insider Threat at a financial services firm with 10,001+ employees
It's helped identify risky and/or malicious behavior that otherwise would probably have been overlooked. An example would be flight-risk behavior, meaning employees who are planning to leave the firm and/or who are possibly exfiltrating data. It has identified alerts or threats that would not have originally been identified. While I wouldn't necessarily say it has surfaced high-risk events that require immediate action, but it has surfaced events that require action. View full review »
Learn what your peers think about Securonix Security Analytics. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
438,944 professionals have used our research since 2012.