11:30 PM
Connect Directly

Stumbling Blocks That Faceplant Security Analytics Programs

Understanding the people and process problems that get in the way of analytics effectiveness

While much of the focus on emerging security analytics programs tends to fixate on the data science, algorithms, and technology that makes it all possible, people and process plays as much of a role in analytics as it does in any other facet of security. Many organizations today are learning that lesson the hard way, as they find process-oriented impediments standing in the way of security analytics success.

The following are some of the common organizational mistakes that trip up enterprises.

Organizational silos block data flows
To get the full benefit out of a mature security analytics program, data scientists need to get their hands on a lot of contextual business data and IT operational data that doesn't come from security devices.

"Don't underestimate the importance of functional collaboration," says Jessica Gulick, chief strategist for Global Cyber solutions at CSG International. "Accurately correlating security data with business and IT analytics will promote a well-rounded approach."

Unfortunately, organizational structure can greatly impede the free flow of data.

"There's often these silos in larger organizations where the people who run the firewall or run the vulnerability scan, they might not even be in the security group, they're operations," says John Pescatore, director of emerging trends at SANS Institute. "Then the threat analytics guys are in the security group and they're using totally different tools and the data found in the other silos never get banged into each other."

First things first: collaboration will be necessary to achieve security analytics lift-off.

"The fact that the systems that generate much of the data to be analyzed are not managed by the infosec team means that infosec teams must develop and maintain close relationships with the teams that do manage the systems that create the data," says Andrew Wild, CSO for Qualys, explaining other examples of systems they'll need feeds from such as Active Directory information, network switches and routers, and physical access card readers on doors.

"Most enterprises are composed of lots and lots of departments that have access to data. There isn't just one group that owns all that data," agrees Chris Berry, vice president of information and data analytics for Hexis Cyber Solutions. "Whoever is running the security practice has to engage these other stakeholders or subject matter experts to figure out how to get the data set up and get it delivered."

[Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

Poor data governance
Not only does effective analysis depend on the right types of data, but it also requires that the data be of a high quality. Issues with incomplete data, duplicate data, and data in inaccessible formats can all contribute to problems when it comes time to interrogate data sets.

"Companies should have a data governance or information management process in place to ensure the data is clean," says Tamir Hardof, senior director of product marketing for Juniper Networks. "The need to assess the risk uniquely for every transaction requires a complete and comprehensive set of data provided in real-time based on both user behavior and fixed attributes like user role and device location."

This requires thoughtful aggregation and data configuration, and also the use of common communication protocols to help with data normalization.

"When working in a multi-vendor environment, the only way an organization has visibility into the device, network traffic, and application is if their network uses common communication protocols in order to provide the information in a usable manner," Hardof says.

Magical thinking
A lack of focus in how a program is first designed and grandiose expectations can doom security analytics initiatives from the start.

"Another impediment to an effective security analytics program is overly broad, unrealistic goals and expectations," Wild says. "Organizations looking to start an effective security analytics program should ensure that initial objectives are limited and achievable."

The problem is that the big data buzz has lured some into thinking that analytics is magic, Pescatore warns.

"This term big data got overhyped and introduced the idea that security analytics means feed every possible piece of data into something and at the bottom out comes security answers," he says.

Instead, security practitioners must first start with the difficult questions that they want answered and design their analysis processes around those.

"Big data analytics projects that anticipate the incisive questions that enterprises ask of the data and provide timely and accurate answers generally fare better than those that do not," says Joshua Goldfarb, CSO for nPulse Technologies, explaining that analytics reports built on these smart questions invariably provide more value than those that have no questions to focus them.

No people or processes in place to act on analysis
All too often, organizations sink money into security analytics initiatives only to find that it doesn't affect much change in how security is practiced, Pescatore says.

"The project ends up resulting in a nice dashboard display or a cool thing to talk about after an attack gets through," he says. "But this really is an investment you want to make that helps you say, 'Of all the possible things I could do in security, please tell me which one I should do first.'"

Which is why it is crucial for organizations to first identify the potential end-users of the analysis before setting up a process to crunch said information. These are the established consumers of the insights being generated, explains Ryan Stolte, CTO of Bay Dynamics. "By starting with the potential end-users and understanding their ultimate goals and frustrations, a security analytics program can be founded with the mindset of helping these audiences be more efficient and effective," he says. "Without an end-user that will directly apply the results of a security analytics program, there is no practical reason to invest in collecting and retaining large volumes of data that may not provide any practical benefit to the business."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Published: 2015-07-02
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the password mask.

Published: 2015-07-02
Cisco Digital Content Manager (DCM) 15.0.0 might allow remote ad servers to cause a denial of service (reboot) via malformed ad messages, aka Bug ID CSCur13999.

Published: 2015-07-02
SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuu54037.

Published: 2015-07-02
The SNMP implementation in Cisco Adaptive Security Appliance (ASA) Software 8.4(7) and 8.6(1.2) allows remote authenticated users to cause a denial of service (device reload) by sending many SNMP requests during a time of high network traffic, aka Bug ID CSCul02601.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report