05:42 PM
Connect Directly

Too Much Security Data Or Not Enough?

Addressing the paradox of security analytics challenges

As security gurus and professional surveys try to examine the stumbling blocks that await organizations seeking to mature their security analytics programs, enterprises' complaints seem to be at odds with one another. On one hand, organizations say they have too much security data and too many types of data to sift through and analyze in a timely fashion. On the other hand, they also say they don't have enough data on hand to make analytics-based security decisions.

So what gives? According to some experts, the seeming contradiction may well be the cracks showing in the old model of collecting security information and aggregate analysis through traditional tools like log management and security information and event management (SIEM).

"I remember the days where as security professionals we would have to go out and specifically ask for more and more data. Well, now we have it," says Dave Shackleford, principal consultant for Voodoo Security and a SANS analyst. "We have a lot of types of data. You have all these various formats, not all of which are natively compatible with your SIEM platform."

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

Just recently, SANS released the results of its security analytics survey, an iteration of what was once its annual log management survey. As it found in years past, organizations rely heavily on log management and SIEM platforms that can't handle the deluge of data fed into them, Shackleford says. At the same time, when the survey asked participants what their biggest challenges were in discovering and following up on attacks, they said the top problem was a gap in security data that they needed.

"Hands down, it was not getting some of right data. So we still feel like we're missing some of the key data sets in our environments, even with the deluge of the data that we have," Shackleford says, explaining that organizations also said they lacked system or vulnerability awareness and context around the data to observe normal data. "Without those, it is very difficult to tell that bigger, better story around what's happening in your infrastructure, and that's exactly the type of problem that analytics platforms are looking and trying to solve."

Part of the reason why organizations are finding they're contending with too much data and not enough data at the same time is because they're collecting in an upside-down process, says Ryan Stolte, CTO of Bay Dynamics.

"The bad assumption is that we should start with the data and focus on aggregating it and bring in it all into the same repository. When you start just by grabbing whatever data you can find and then hoping to get insight out of it later, it's a long, expensive process and an upside-down approach," he says.

Instead, organizations should be asking business and security questions first and looking for the data that will help answer them.

"You have to know what questions you're trying to ask before you start going out and fetching data for it," he says. "People have spent a tremendous amount of money consolidating data and never had a plan for what they were going to do it."

In the same vein, Stolte says that organizations have a hard time acting on data, even if it is the right information, when they rely too heavily on SIEM.

"It's a common mistake trying to aggregate everything through SIEM. But it is only giving you one perspective and very commonly ends up being a black hole of information that is not actionable," he says.

According to Shackleford, SANS has seen organizations seek to move beyond just SIEM to analyze data and shift into more robust analytics techniques and platforms.

"We definitely see trends and the market is ready for this -- people have this need for analytics and intelligence wrapped together in these larger data sets," he says, explaining that at the same time only about 10 percent of organizations are confident in their intelligence and analytics capabilities. "Most people are still using traditional techniques, still using log management and SIEM platforms to pull all this together. So I say today analytics is still pretty much in its infancy. There's a lot of room for growth."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
11/14/2013 | 4:00:46 PM
re: Too Much Security Data Or Not Enough?
Not sure there is such as thing as too much. It's more a matter of whether or not organizations are collecting and analyzing the right data. It's data that helps insure protections (i.e. UTM appliances, firewalls, etc.) are adequate to overcome the risks.

Peter Fretty
User Rank: Apprentice
10/9/2013 | 7:09:59 PM
re: Too Much Security Data Or Not Enough?
An organization will need a lot of resources to shift to develop/use analytics techniques. Seems it's pretty much something for large organizations.
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.