Analytics
1/15/2014
11:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

5 Surprising Security Gains Achieved From Security Analytics

Getting the most out of big data sets and seemingly unrelated security information

As more CISOs begin to lean on data scientists to discover new threats in security feeds, and increasingly more IT security departments institute security analytics programs, infosec pros have started to reap the obvious benefits of security analytics. Most evident among them is a broader and deeper visibility into IT security data sources, which, in turn, offers a better understanding of security risks and faster response times.

But as security programs mature their analytics practices, they often find themselves surprised at the discrete benefits they start seeing from programmatic exploration of security-related data feeds. Here are just a few of the top positive surprises.

1. Uncover Data Leaks You'd Never Guess You Had
One of the first jolts that security analytics programs may give your organization is concrete evidence of data leaks it never before suspected were happening.

"The one that comes up regularly is that they discover leaks that have been ongoing for some time," says Matthew Gardiner, senior product marketing manager for RSA.

As he explains, this may not even necessarily be a leak at the hands of some kind of complicated nation-state spying or even data that's being stolen by a crime syndicate.

"They're just leaks caused by data moving out of the enterprises to places the organization didn't know about, didn't expect, and maybe doesn't like," he explains. "The question then is figuring out what to do about that flow of data at that point." [Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

2. Sniff Out Questions You Didn't Know Needed Asking Before
The huge amount of unstructured data pumped out by IT infrastructure and security tools make it difficult for security analysts to even begin to start querying data for answers to common questions about its risk posture. The simple act of organizing analytics programs to answer those obvious questions may turn up unexpected returns as other patterns emerge to answer questions that the team may never have even thought to ask.

"Often companies may not know exactly what they are looking for or what exact problem they want to solve before the data is stored and made accessible," says Dan Hubbard, CTO of OpenDNS. "Analytics can uncover security intelligence and capabilities that we would otherwise have no way of knowing is possible."

What's more, the visualization of those trends can also help better communicate risks to the business and start collaboration with business leaders who may start to come up with their own important questions to be answered based on data that was never as accessible without analytics.

"They start to ask good questions, so it gives a different perspective on not only what you should be looking at, but how you should be looking at it," says Ron Schlecht, managing partner for security service provider BTB Security. "It's a good way to collaborate with different business leaders, and it starts to pull together why security is important to the overall organization."

3. Make Connections Between Data Sources You Might Not Have Made Before
Often security analytics programs will start making associations between data sources that a security team may have never uncovered on its own.

"Most security analytics programs require feeding data from multiple sources in to a single engine for processing to look at patterns and anomalies," says Corey Lanum, general manager for North America at Cambridge Intelligence. "When I'm working with customers who are loading in data from disparate sources, they will often immediately see connections between individual data elements that were previously stored in different databases and had no connection."

For example, one police agency his firm worked with extended his security analytics engine out toward information sources about offenders and crime, with everything from 911 call information, jail records, and the like.

"After loading in their crime reports and pawn shop records, we immediately started to see connections," Lanum says. "It was immediately obvious that stolen property was being sold at pawn shops in the same general neighborhood of the theft. We generated leads on several burglaries on the first day we were using the software."

This kind of modeling can easily translate to find connections between disparate parts of the network, different departmental information, and so on.

4. Discover Operational IT Issues You Never Knew Were There
The benefits of security analytics programs may well extend beyond IT security and bleed into IT operations as well. In many cases, the modeling and dot-connecting performed on security data can uncover IT operational problems that could impact availability, workflow, and efficiency departmentwide.

"One benefit that has surprised many companies is that the security analytics have also helped find operational IT issues, likely due to the sheer volume of information and depth of insight that can be gained with a proper analytics program," Schlecht says.

For example, when Schlecht worked in-house years ago, he found that a new analytics program not only helped identify security issues but was also able to pinpoint development issues in the company's applications that were draining many hours of troubleshooting from its dev team. A look at application and security event logs for something completely unrelated ended up helping to spot the root cause of the development frustration.

5. Find Policy Violations You Didn't Know Were Happening
Another beneficial surprise offered up from analytics -- one that can often be a bit of a double-edged sword -- is the discovery of policy violations across the organization. They won't always necessarily be malicious, but they're there, and the difficult thing about it is that once the team has seen these violations, it can't unsee them no matter how inconvenient response may be.

"You hear about rogue cloud services, and with analytics you'll see they're very real," Gardiner says. "It's beneficial because you have better visibility, but you can't be an ostrich once you see it. You have to do something about it and make the determination of whether it's important, and whether you have to investigate it and respond."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?