Vulnerabilities / Threats

9/15/2016
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions Security Leaders Need To Ask About Analytics

The game of 20 questions is a great way to separate vendors that meets your needs from those who will likely disappoint.

It would be an understatement to say that the security world tends to be full of hype and noise.  At times, it seems like vendors virtually xerox each other’s marketing materials. Everyone uses the same words, phrases, jargon, and buzzwords. This is a complicated phenomenon and there are many reasons why this is the case.

The more important issue is why security leaders find ourselves in this state. How can we make sense of all the noise, cut through all the hype, and make the informed decisions that will improve the security of our respective organizations? One answer is by making precise, targeted, and incisive inquiries at the outset. Let’s start with a game of 20 questions. Our first technology focus: analytics.

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons

Analytics is a topic near and dear to my heart, one with tremendous potential for information security. It seems that everyone is talking about analytics these days, specifically, security analytics. With so much buzz around security analytics, how can organizations understand what true analytical capabilities exist in a potential solution and determine whether or not those capabilities meet their needs? While certainly not an exhaustive list, here are 20 questions to help with that assessment:

  1. What problem(s) are you trying to solve? This may seem like an obvious question, but have you ever tried asking a potential vendor what problem or problems they’re trying to solve? Perhaps you will receive a clear, concise, and straightforward answer. Or, perhaps you will receive an answer that will leave you wondering if this particular vendor has any real-word understanding, operational experience, and/or deployments. 
  2. If you get an answer that make sense, does it describe a problem you are looking to solve?
  3. What data do vendors operate on? Even the greatest analytics and algorithms in the world need data to operate on; not just any data of course, but the specific data that the various analytics and algorithms were designed to work with. 
  4. Does the vendor you’re considering leverage data that you have readily available or can easily collect? 
  5. How difficult is it to get that data to the vendor for processing and analysis? 
  6. What additional bandwidth usage will you incur moving data around? 
  7. What additional cost requirements will you encounter when looking to retain the right amount of data to produce the desired results? 
  8. Will the solution be able to scale to the volume of data you need?
  9. What is the signal-to-noise ratio? 
  10. What are the costs/benefits in terms of your security organization’s efficiency, effectiveness, and workflow? 
  11. What is the cost of polluting the workflow with a large number of low fidelity, nonactionable, noisy alerts? This noise adds to the organization’s daily workload while simultaneously detracting from its ability to focus on the signal it needs to focus on.  Analytics often promise the benefit of detecting the previously undetectable. In reality, that benefit varies by solution. 
  12. What is the cost in terms of efficiency and resource-allocation of introducing a ton of noise into the environment versus the potential benefit of additional detections that an analytics solution may provide? Additional detection capabilities can quickly get washed away by a sea of false positives.
  13. How does the solution integrate into your workflow? 
  14. How open are you to introducing another tool or layer of complexity into your security workflow? 
  15. Do you need an analytics solution to integrate seamlessly into your workflow without requiring the team to learn additional skills or review additional consoles? 
  16. What amount of overhead in terms of people, process, and technology does an analytics solution require in order to function properly? 
  17. How complex is the solution to deploy and how much customization is required to get the solution up and running?
  18. What methodologies does the approach use? Lots of people like to talk about data mining and machine learning when they talk about analytics. But does a potential vendor really leverage data mining and machine learning? The dirty little secret in the analytics field is that while many solutions talk about data mining and machine learning, some of them rely on signatures and triggers behind the scenes.
  19. What will I get out of an analytics solution on a daily basis? 
  20. Will it provide me with additional detection events of interest or high fidelity jumping off points for hunting?

I believe that the data we collect on a daily basis is a treasure trove that packs powerful analytics potential. But like anything, it pays to ask the right questions. Our game of 20 questions is one strategy to very quickly separate the security analytics vendors who meets your needs from the ones who will likely disappoint.

Related Content: 

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
seoweavers
100%
0%
seoweavers,
User Rank: Strategist
9/19/2016 | 4:03:17 AM
Thanks

 

A debt of gratitude is in order for imparting this best stuff to us! Continue sharing! I am new in the website writing. All sorts online journals and posts are not useful for the readers. Here the writer is giving great musings and recommendations to every last per users through this article. Quality of the substance is the principle component of the site and this is the method for composing and presenting. Waiting for again magnificent sites or posts.

 

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.
CVE-2018-17432
PUBLISHED: 2018-09-24
A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file.
CVE-2018-17433
PUBLISHED: 2018-09-24
A heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.