Alert Logic's Cloud Security Report: Data Deep Dive

In a recent article, we shared highlights from the latest Alert Logic Cloud Security Report. In this article, we want to drill into more detail on the data … what gets collected, how it gets collected, and how it gets analyzed so you can better understand what we’re discussing in our annual report.

What security data is collected

As we outlined in our last article, the data used in this report is from real-world security incidents captured from our customer environments that are secured via Alert Logic’s intrusion detection system (IDS). To break down the numbers:

  • The data is aggregated from more than 2,200 cloud and on-prem organizations that use Alert Logic solutions.
  • These organizations are based primarily in North America and Western Europe.
  • Over the 6-month period that we’re reporting on in the latest report, our correlation engine analyzed more than 1 billion events that produced 232,364 verified security incidents that our Security Operations Center (SOC) analyzed.

How the data is collected

All Alert Logic security solutions are delivered as Software-as-a-Service.  Security data is collected, analyzed, and correlated via our correlation engine. Alert Logic archives security incident data in our secure, multi-tenanted cloud. Today, we have over 3.4 petabytes of data under management and that amount is growing at approximately 150% per year.

To get from data collection to analysis (actionable intelligence), we follow this process:

  • Our IDS detects and sends events to our patented correlation engine. The correlation engine evaluates multiple factors to determine whether network-based events are authentic security incidents or false positives (noise).
  • Our IDS solution is constantly being updated with new signatures to detect the latest attacks. Our Threat Research team creates new signatures using multiple sources:
    • Their own research (the work that they did to learn about the malware used in the Target data breach is a good example of the in-depth research they perform)
    • Emerging threats research subscriptions
    • Open source, third-party collaboration
  • When the correlation engine detects an incident, it gets identified for human consideration by one of our security analysts to ensure validity, to confirm the threat, and then escalate to customers for remediation. All analysts are GIAC-certified (Global Information Assurance Certification) and many hold additional security certification.

How the data is analyzed
Incidents are categorized into six areas and all valid incidents are analyzed by our Threat Research team for this report. Incident categories are:

  • Malware/Botnet: Malicious software installed on a host
  • Brute Force: Exploit attacks
  • Vulnerability Scan: Automated vulnerability discovery
  • Web App Attack: Attacks targeting the presentation, logic or database layer of web apps
  • Recon: Ping sweeps
  • App Attack: Exploits against applications or services not running over HTTP protocol

We look at several metrics for each of these categories: the percentage of customers experiencing an attack of this type; the frequency with which these attacks occur; and we also look at the average number of attacks of each category customers receive. With this information, we share information to help people understand the probability of any given attack, the persistence of the attackers and also how sophisticated their security program needs to be to thwart a variety of attacks.

Hopefully that gives you a better understanding of the data behind our annual Cloud Security Report. If you’d like a copy, download it here. And if you have suggestions for additional data we could collect or report on, please let us know using the comments box below.