05:42 PM
Connect Directly

Too Much Security Data Or Not Enough?

Addressing the paradox of security analytics challenges

As security gurus and professional surveys try to examine the stumbling blocks that await organizations seeking to mature their security analytics programs, enterprises' complaints seem to be at odds with one another. On one hand, organizations say they have too much security data and too many types of data to sift through and analyze in a timely fashion. On the other hand, they also say they don't have enough data on hand to make analytics-based security decisions.

So what gives? According to some experts, the seeming contradiction may well be the cracks showing in the old model of collecting security information and aggregate analysis through traditional tools like log management and security information and event management (SIEM).

"I remember the days where as security professionals we would have to go out and specifically ask for more and more data. Well, now we have it," says Dave Shackleford, principal consultant for Voodoo Security and a SANS analyst. "We have a lot of types of data. You have all these various formats, not all of which are natively compatible with your SIEM platform."

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

Just recently, SANS released the results of its security analytics survey, an iteration of what was once its annual log management survey. As it found in years past, organizations rely heavily on log management and SIEM platforms that can't handle the deluge of data fed into them, Shackleford says. At the same time, when the survey asked participants what their biggest challenges were in discovering and following up on attacks, they said the top problem was a gap in security data that they needed.

"Hands down, it was not getting some of right data. So we still feel like we're missing some of the key data sets in our environments, even with the deluge of the data that we have," Shackleford says, explaining that organizations also said they lacked system or vulnerability awareness and context around the data to observe normal data. "Without those, it is very difficult to tell that bigger, better story around what's happening in your infrastructure, and that's exactly the type of problem that analytics platforms are looking and trying to solve."

Part of the reason why organizations are finding they're contending with too much data and not enough data at the same time is because they're collecting in an upside-down process, says Ryan Stolte, CTO of Bay Dynamics.

"The bad assumption is that we should start with the data and focus on aggregating it and bring in it all into the same repository. When you start just by grabbing whatever data you can find and then hoping to get insight out of it later, it's a long, expensive process and an upside-down approach," he says.

Instead, organizations should be asking business and security questions first and looking for the data that will help answer them.

"You have to know what questions you're trying to ask before you start going out and fetching data for it," he says. "People have spent a tremendous amount of money consolidating data and never had a plan for what they were going to do it."

In the same vein, Stolte says that organizations have a hard time acting on data, even if it is the right information, when they rely too heavily on SIEM.

"It's a common mistake trying to aggregate everything through SIEM. But it is only giving you one perspective and very commonly ends up being a black hole of information that is not actionable," he says.

According to Shackleford, SANS has seen organizations seek to move beyond just SIEM to analyze data and shift into more robust analytics techniques and platforms.

"We definitely see trends and the market is ready for this -- people have this need for analytics and intelligence wrapped together in these larger data sets," he says, explaining that at the same time only about 10 percent of organizations are confident in their intelligence and analytics capabilities. "Most people are still using traditional techniques, still using log management and SIEM platforms to pull all this together. So I say today analytics is still pretty much in its infancy. There's a lot of room for growth."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
11/14/2013 | 4:00:46 PM
re: Too Much Security Data Or Not Enough?
Not sure there is such as thing as too much. It's more a matter of whether or not organizations are collecting and analyzing the right data. It's data that helps insure protections (i.e. UTM appliances, firewalls, etc.) are adequate to overcome the risks.

Peter Fretty
User Rank: Apprentice
10/9/2013 | 7:09:59 PM
re: Too Much Security Data Or Not Enough?
An organization will need a lot of resources to shift to develop/use analytics techniques. Seems it's pretty much something for large organizations.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Microsegmentation: Strong Security in Small Packages
Avishai Wool, Co-Founder and CTO at AlgoSec,  4/12/2018
7 Non-Financial Data Types to Secure
Curtis Franklin Jr., Senior Editor at Dark Reading,  4/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.