Analytics
1/15/2014
11:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

5 Surprising Security Gains Achieved From Security Analytics

Getting the most out of big data sets and seemingly unrelated security information

As more CISOs begin to lean on data scientists to discover new threats in security feeds, and increasingly more IT security departments institute security analytics programs, infosec pros have started to reap the obvious benefits of security analytics. Most evident among them is a broader and deeper visibility into IT security data sources, which, in turn, offers a better understanding of security risks and faster response times.

But as security programs mature their analytics practices, they often find themselves surprised at the discrete benefits they start seeing from programmatic exploration of security-related data feeds. Here are just a few of the top positive surprises.

1. Uncover Data Leaks You'd Never Guess You Had
One of the first jolts that security analytics programs may give your organization is concrete evidence of data leaks it never before suspected were happening.

"The one that comes up regularly is that they discover leaks that have been ongoing for some time," says Matthew Gardiner, senior product marketing manager for RSA.

As he explains, this may not even necessarily be a leak at the hands of some kind of complicated nation-state spying or even data that's being stolen by a crime syndicate.

"They're just leaks caused by data moving out of the enterprises to places the organization didn't know about, didn't expect, and maybe doesn't like," he explains. "The question then is figuring out what to do about that flow of data at that point." [Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

2. Sniff Out Questions You Didn't Know Needed Asking Before
The huge amount of unstructured data pumped out by IT infrastructure and security tools make it difficult for security analysts to even begin to start querying data for answers to common questions about its risk posture. The simple act of organizing analytics programs to answer those obvious questions may turn up unexpected returns as other patterns emerge to answer questions that the team may never have even thought to ask.

"Often companies may not know exactly what they are looking for or what exact problem they want to solve before the data is stored and made accessible," says Dan Hubbard, CTO of OpenDNS. "Analytics can uncover security intelligence and capabilities that we would otherwise have no way of knowing is possible."

What's more, the visualization of those trends can also help better communicate risks to the business and start collaboration with business leaders who may start to come up with their own important questions to be answered based on data that was never as accessible without analytics.

"They start to ask good questions, so it gives a different perspective on not only what you should be looking at, but how you should be looking at it," says Ron Schlecht, managing partner for security service provider BTB Security. "It's a good way to collaborate with different business leaders, and it starts to pull together why security is important to the overall organization."

3. Make Connections Between Data Sources You Might Not Have Made Before
Often security analytics programs will start making associations between data sources that a security team may have never uncovered on its own.

"Most security analytics programs require feeding data from multiple sources in to a single engine for processing to look at patterns and anomalies," says Corey Lanum, general manager for North America at Cambridge Intelligence. "When I'm working with customers who are loading in data from disparate sources, they will often immediately see connections between individual data elements that were previously stored in different databases and had no connection."

For example, one police agency his firm worked with extended his security analytics engine out toward information sources about offenders and crime, with everything from 911 call information, jail records, and the like.

"After loading in their crime reports and pawn shop records, we immediately started to see connections," Lanum says. "It was immediately obvious that stolen property was being sold at pawn shops in the same general neighborhood of the theft. We generated leads on several burglaries on the first day we were using the software."

This kind of modeling can easily translate to find connections between disparate parts of the network, different departmental information, and so on.

4. Discover Operational IT Issues You Never Knew Were There
The benefits of security analytics programs may well extend beyond IT security and bleed into IT operations as well. In many cases, the modeling and dot-connecting performed on security data can uncover IT operational problems that could impact availability, workflow, and efficiency departmentwide.

"One benefit that has surprised many companies is that the security analytics have also helped find operational IT issues, likely due to the sheer volume of information and depth of insight that can be gained with a proper analytics program," Schlecht says.

For example, when Schlecht worked in-house years ago, he found that a new analytics program not only helped identify security issues but was also able to pinpoint development issues in the company's applications that were draining many hours of troubleshooting from its dev team. A look at application and security event logs for something completely unrelated ended up helping to spot the root cause of the development frustration.

5. Find Policy Violations You Didn't Know Were Happening
Another beneficial surprise offered up from analytics -- one that can often be a bit of a double-edged sword -- is the discovery of policy violations across the organization. They won't always necessarily be malicious, but they're there, and the difficult thing about it is that once the team has seen these violations, it can't unsee them no matter how inconvenient response may be.

"You hear about rogue cloud services, and with analytics you'll see they're very real," Gardiner says. "It's beneficial because you have better visibility, but you can't be an ostrich once you see it. You have to do something about it and make the determination of whether it's important, and whether you have to investigate it and respond."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web