11:30 PM
Connect Directly

Stumbling Blocks That Faceplant Security Analytics Programs

Understanding the people and process problems that get in the way of analytics effectiveness

While much of the focus on emerging security analytics programs tends to fixate on the data science, algorithms, and technology that makes it all possible, people and process plays as much of a role in analytics as it does in any other facet of security. Many organizations today are learning that lesson the hard way, as they find process-oriented impediments standing in the way of security analytics success.

The following are some of the common organizational mistakes that trip up enterprises.

Organizational silos block data flows
To get the full benefit out of a mature security analytics program, data scientists need to get their hands on a lot of contextual business data and IT operational data that doesn't come from security devices.

"Don't underestimate the importance of functional collaboration," says Jessica Gulick, chief strategist for Global Cyber solutions at CSG International. "Accurately correlating security data with business and IT analytics will promote a well-rounded approach."

Unfortunately, organizational structure can greatly impede the free flow of data.

"There's often these silos in larger organizations where the people who run the firewall or run the vulnerability scan, they might not even be in the security group, they're operations," says John Pescatore, director of emerging trends at SANS Institute. "Then the threat analytics guys are in the security group and they're using totally different tools and the data found in the other silos never get banged into each other."

First things first: collaboration will be necessary to achieve security analytics lift-off.

"The fact that the systems that generate much of the data to be analyzed are not managed by the infosec team means that infosec teams must develop and maintain close relationships with the teams that do manage the systems that create the data," says Andrew Wild, CSO for Qualys, explaining other examples of systems they'll need feeds from such as Active Directory information, network switches and routers, and physical access card readers on doors.

"Most enterprises are composed of lots and lots of departments that have access to data. There isn't just one group that owns all that data," agrees Chris Berry, vice president of information and data analytics for Hexis Cyber Solutions. "Whoever is running the security practice has to engage these other stakeholders or subject matter experts to figure out how to get the data set up and get it delivered."

[Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]

Poor data governance
Not only does effective analysis depend on the right types of data, but it also requires that the data be of a high quality. Issues with incomplete data, duplicate data, and data in inaccessible formats can all contribute to problems when it comes time to interrogate data sets.

"Companies should have a data governance or information management process in place to ensure the data is clean," says Tamir Hardof, senior director of product marketing for Juniper Networks. "The need to assess the risk uniquely for every transaction requires a complete and comprehensive set of data provided in real-time based on both user behavior and fixed attributes like user role and device location."

This requires thoughtful aggregation and data configuration, and also the use of common communication protocols to help with data normalization.

"When working in a multi-vendor environment, the only way an organization has visibility into the device, network traffic, and application is if their network uses common communication protocols in order to provide the information in a usable manner," Hardof says.

Magical thinking
A lack of focus in how a program is first designed and grandiose expectations can doom security analytics initiatives from the start.

"Another impediment to an effective security analytics program is overly broad, unrealistic goals and expectations," Wild says. "Organizations looking to start an effective security analytics program should ensure that initial objectives are limited and achievable."

The problem is that the big data buzz has lured some into thinking that analytics is magic, Pescatore warns.

"This term big data got overhyped and introduced the idea that security analytics means feed every possible piece of data into something and at the bottom out comes security answers," he says.

Instead, security practitioners must first start with the difficult questions that they want answered and design their analysis processes around those.

"Big data analytics projects that anticipate the incisive questions that enterprises ask of the data and provide timely and accurate answers generally fare better than those that do not," says Joshua Goldfarb, CSO for nPulse Technologies, explaining that analytics reports built on these smart questions invariably provide more value than those that have no questions to focus them.

No people or processes in place to act on analysis
All too often, organizations sink money into security analytics initiatives only to find that it doesn't affect much change in how security is practiced, Pescatore says.

"The project ends up resulting in a nice dashboard display or a cool thing to talk about after an attack gets through," he says. "But this really is an investment you want to make that helps you say, 'Of all the possible things I could do in security, please tell me which one I should do first.'"

Which is why it is crucial for organizations to first identify the potential end-users of the analysis before setting up a process to crunch said information. These are the established consumers of the insights being generated, explains Ryan Stolte, CTO of Bay Dynamics. "By starting with the potential end-users and understanding their ultimate goals and frustrations, a security analytics program can be founded with the mindset of helping these audiences be more efficient and effective," he says. "Without an end-user that will directly apply the results of a security analytics program, there is no practical reason to invest in collecting and retaining large volumes of data that may not provide any practical benefit to the business."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.