Dynatrace Security Analytics, a new solution on the Dynatrace platform, enables threat detection, forensics, and incident response using combined security and observability context across the full stack. Security analysts accelerate investigations with the Grail data lakehouse, executing lightning-fast queries across large volumes of observability and security data. With these insights, analysts can automate responses to security problems by creating data-driven workflows using AutomationEngine.
With up to 70% of security events going uninvestigated, security analysts need all the help they can get. After a security event, many organizations often don’t know for months (or even years) when why or how it happened. This represents a significant risk, with the same attack vector repeatedly getting exploited if a vulnerability is not resolved on time. The massive volumes of log data over months, sometimes years, of a breach have made this a complicated and expensive problem to solve.
A traditional log-based SIEM approach to security analytics may have served organizations well in simpler on-premises environments. But this limited approach causes challenges in today’s hybrid multicloud reality. With the rising complexity of cloud-native environments, manual investigation and response are too slow and inaccurate. Teams must evolve to continuously create reliable, automated responses based on precise data-driven insights. Comprehensive datasets, including topology and runtime context, can make it easier to find the needle in the haystack and understand the significance of events and vulnerabilities.
Experience with the recent MOVEit vulnerability illustrated some of the key incomplete data challenges organizations face when trying to find definitive answers to questions like “were we exploited?” and “was any sensitive data stolen?” Relying only on logs to find indicators of compromise (IoC) is no longer effective, especially for application attacks, because logs simply don’t contain all the clues. As our experience with MOVEit shows, IoCs that remained hidden in logs alone quickly revealed themselves with observability runtime context data, such as metrics, traces, and spans.
Extending application security protection to Security Analytics
With Dynatrace Runtime Vulnerability Analytics, Dynatrace customers have reduced the amount of time and effort spent on identifying and prioritizing vulnerabilities in both custom code and third-party code. Additionally, Runtime Application Protection provides the ability to protect from attacks while giving development teams much-needed time to remediate these vulnerabilities.
Dynatrace Security Analytics now extends these capabilities by combining predictive and causal AI techniques to help security analysts and architects investigate suspected or detected attacks and create automated response workflows. Security Analytics combines Dynatrace platform capabilities (such as Grail data lakehouse and AutomationEngine) with analytics capabilities (such as Dynatrace Pattern Language (DPL) architect) that make life easier for security analysts.
In an industry first, customers can conduct threat detection, forensics, and incident response use cases based on a combined security and observability dataset enhanced by topology context. Grail can deal with any data, be it OpenTelemetry data or large-scale amounts of security data. Dynatrace OneAgent automatically discovers relevant observability and topology data across complex environments, which provides context and rich data. This is a differentiated and more evolved approach than simply using logs, maximizing the precision, breadth, and depth of insights.
Unknown unknowns: Unveiling the black swans of cybersecurity
Unknown unknowns, also known as “black swans” in the realm of cybersecurity, are the elusive and unforeseen threats that exist beyond the scope of our awareness. These lurking dangers pose a significant challenge to organizations, as they can’t be detected or addressed using traditional security measures alone. Unraveling these hidden threats requires a proactive and adaptive approach, leveraging advanced technologies and threat intelligence to uncover vulnerabilities and mitigate potential risks. Understanding the unknown unknowns is crucial in fortifying defenses and safeguarding against the unexpected.
Security Analytics and automation deal with unknown-unknowns
With Security Analytics, analysts can explore the unknown-unknowns, facilitating queries manually in an ad hoc way, or continuously using automation. This approach addresses classic security-driven log analysis and SIEM use cases, and includes threat hunting and looking for anomalies or IoCs.
- Observability (runtime) context: Utilizing contextualized observability data, you can combine traces, logs, and metrics with security events using AI-driven analysis. This combination elevates use cases that were historically conducted predominantly on only log data. As a result, not only can you understand, for example, that someone accessed a database, but also from where they came, exactly what they accessed, and to where they exported the data–to the level that we know the exact database query statement.
- Automation: Automation plays a crucial role in dealing with the complexities and scale of cybersecurity. By automating routine tasks, such as data collection, analysis, and incident response, organizations can improve their ability to detect and respond to unknown unknowns in a timely manner. With automated processes, you can rapidly identify patterns, correlations, and deviations, allowing security teams to focus on investigating and mitigating emerging threats. Additionally, automation enables faster threat containment, reduces response times, and minimizes the potential for human error.
- Advanced analytics: Advanced analytics techniques, including causal Davis AI and generative AI, facilitate human interaction, enable organizations to analyze vast amounts of data, and extract valuable insights. By applying advanced analytics to security and contextualized observability data, organizations can uncover hidden patterns, trends, and anomalies that may indicate the presence of unknown unknowns that may go undetected by traditional security measures. Advanced analytics empowers organizations to detect and respond to emerging threats proactively, staying ahead of cyber adversaries.
What can you do with Dynatrace Security Analytics?
Here are some samples of what you can do today with Dynatrace Security Analytics.
- Threat hunting: Dynatrace Security Analytics provides analysts with unique capabilities that enhance productivity by collaboratively investigating suspected attacks, automating response, and implementing proactive threat-hunting strategies. Notebooks enable teams to create playbooks to iteratively construct complex queries, review results, and refine to quickly zoom on IoCs. DPL (Dynatrace Pattern Language) simplifies extracting information out of varied log formats without needing to write complicated regex. Analysts can use AutomationEngine to continuously monitor and respond to IoCs.
- Incident response: With cost-effective, long-term data retention allowing teams to go back in time for months or years to identify the root cause of the attack. The combination of data with retained context and lightning-fast queries empowers analysts to identify IoCs, reconstruct events, and determine next steps in record time. Analysts can leverage AutomationEngine to continuously monitor and respond to future attacks.
- Log storage and data retention: As regulations grow more stringent, data retention requirements and costs can quickly mount. Dynatrace Grail data lakehouse offers a scalable, affordable way to store data long term while keeping all data always available for dashboarding and analysis.
What’s next for Security Analytics?
Security Analytics with Davis® AI, the Grail data lakehouse, AutomationEngine, and Notebooks are all available for customers to use today.
In the coming months, we look forward to further enhancing analyst productivity with Davis CoPilot generative AI and security-specific user experiences. Davis CoPilot will enable natural language queries, suggest CISO dashboards to track progress, and auto-create security incident response workflows using AutomationEngine.
Leave the beaten path of traditional security tooling for a future with unified observability and security
Proactive incident response is based on understanding what’s happening at runtime in real-time across the full stack by identifying suspicious activities that may lead to potential breaches. This modern approach puts security analysts in the driver’s seat. A coordinated organizational approach to patching vulnerabilities or initiating incident response before an actual breach occurs increases speed, and reduces costs, and accelerates innovation. The overall reduced risk of falling victim to cyber-crimes readies organizations utilizing Dynatrace’s unified observability and security platform for the projected increase in cyber-attacks.
Watch this breakout session from Perform 2024 to explore the transformative potential of full-stack observability in bolstering security analytics.
Looking for answers?
Start a new discussion or ask for help in our Q&A forum.
Go to forum