Although security spending is at an all-time high, security breaches at major organizations are also at an all-time high. The reason, very simply stated, is that preventative control, such as a firewall, an intrusion prevention system and an antivirus mechanism aren’t doing an efficient job of stopping or detecting breaches.
The call to action for security leaders is to increase the use of detective systems that can find evidence of a breach.
Much of the industry focus around increasing detection of attacks has been on finding otherwise unknown malware through methods such as file detonation or emulation or using a sandbox. These methods, or ones like them, are effective and can improve an organization’s security program; however, without more context or meaning around the event of detecting a new piece of malware, the information may be relegated to more security background noise. Security analytics platforms try to bring situational awareness to security events by gathering and analyzing a broader set of data, such that the events of relevance that pose the greatest harm to an organization are found and prioritized with greater accuracy.
When it comes to gathering masses of security data that can be analyzed to bring greater meaning to security events, security information and event management (SIEM) technologies are topping the list of likely solutions. While most SIEM products have the ability to collect, store and analyze security data, the meaning that can be pulled from a data store (such as the security data found in a SIEM) depends on how the data is reviewed.
User behavior analytics (UBA) is another example of security analytics that is already gaining buyer attention. UBA allows user activity to be analyzed, much in the same way a fraud detection system would monitor a user’s credit cards for theft. UBA systems are effective at detecting meaningful security events, such as a compromised user account and rogue insiders. Although many UBA systems can analyze more data than just user profiles, such as devices and geo-locations, there is still an opportunity to enhance the analytics to include even more data points that can increase the accuracy of detecting a breach.
As security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis. Today, information about hosts, networks, users and external actors is the most common data brought into an analysis. However, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.
Analytics systems, on average, tend to do better analyzing lean, or metadata-like, data stores that allow them to quickly, in almost real-time speed, produce interesting findings. The challenge to this approach is that major security events, such as breaches, don’t happen all at once. There may be an early indicator, followed hours later by a minor event, which in turn is followed days or months later by a data leakage event. When these three things are looked at as a single incident that just happens to span, say, three months, the overall priority of this incident made up of lesser events is now much higher, which is why “look backs” are a key concept for analytics systems.
Ultimately, how actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time. Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualization of that data will greatly affect adoption of the technology.
Eric Ahlm is a research director within the Security team at Gartner, Inc. Mr. Ahlm focuses on the fast-moving and disruptive trends that can impact multiple security markets, and market factors such as convergence growth, slowdowns, or changes in competitive landscapes due to emerging trends.