Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:42 PM
Connect Directly

Too Much Security Data Or Not Enough?

Addressing the paradox of security analytics challenges

As security gurus and professional surveys try to examine the stumbling blocks that await organizations seeking to mature their security analytics programs, enterprises' complaints seem to be at odds with one another. On one hand, organizations say they have too much security data and too many types of data to sift through and analyze in a timely fashion. On the other hand, they also say they don't have enough data on hand to make analytics-based security decisions.

So what gives? According to some experts, the seeming contradiction may well be the cracks showing in the old model of collecting security information and aggregate analysis through traditional tools like log management and security information and event management (SIEM).

"I remember the days where as security professionals we would have to go out and specifically ask for more and more data. Well, now we have it," says Dave Shackleford, principal consultant for Voodoo Security and a SANS analyst. "We have a lot of types of data. You have all these various formats, not all of which are natively compatible with your SIEM platform."

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

Just recently, SANS released the results of its security analytics survey, an iteration of what was once its annual log management survey. As it found in years past, organizations rely heavily on log management and SIEM platforms that can't handle the deluge of data fed into them, Shackleford says. At the same time, when the survey asked participants what their biggest challenges were in discovering and following up on attacks, they said the top problem was a gap in security data that they needed.

"Hands down, it was not getting some of right data. So we still feel like we're missing some of the key data sets in our environments, even with the deluge of the data that we have," Shackleford says, explaining that organizations also said they lacked system or vulnerability awareness and context around the data to observe normal data. "Without those, it is very difficult to tell that bigger, better story around what's happening in your infrastructure, and that's exactly the type of problem that analytics platforms are looking and trying to solve."

Part of the reason why organizations are finding they're contending with too much data and not enough data at the same time is because they're collecting in an upside-down process, says Ryan Stolte, CTO of Bay Dynamics.

"The bad assumption is that we should start with the data and focus on aggregating it and bring in it all into the same repository. When you start just by grabbing whatever data you can find and then hoping to get insight out of it later, it's a long, expensive process and an upside-down approach," he says.

Instead, organizations should be asking business and security questions first and looking for the data that will help answer them.

"You have to know what questions you're trying to ask before you start going out and fetching data for it," he says. "People have spent a tremendous amount of money consolidating data and never had a plan for what they were going to do it."

In the same vein, Stolte says that organizations have a hard time acting on data, even if it is the right information, when they rely too heavily on SIEM.

"It's a common mistake trying to aggregate everything through SIEM. But it is only giving you one perspective and very commonly ends up being a black hole of information that is not actionable," he says.

According to Shackleford, SANS has seen organizations seek to move beyond just SIEM to analyze data and shift into more robust analytics techniques and platforms.

"We definitely see trends and the market is ready for this -- people have this need for analytics and intelligence wrapped together in these larger data sets," he says, explaining that at the same time only about 10 percent of organizations are confident in their intelligence and analytics capabilities. "Most people are still using traditional techniques, still using log management and SIEM platforms to pull all this together. So I say today analytics is still pretty much in its infancy. There's a lot of room for growth."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
11/14/2013 | 4:00:46 PM
re: Too Much Security Data Or Not Enough?
Not sure there is such as thing as too much. It's more a matter of whether or not organizations are collecting and analyzing the right data. It's data that helps insure protections (i.e. UTM appliances, firewalls, etc.) are adequate to overcome the risks.

Peter Fretty
User Rank: Apprentice
10/9/2013 | 7:09:59 PM
re: Too Much Security Data Or Not Enough?
An organization will need a lot of resources to shift to develop/use analytics techniques. Seems it's pretty much something for large organizations.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-18
i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact via crafted ioctl calls to /dev/dri/card0.
PUBLISHED: 2019-06-18
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.
PUBLISHED: 2019-06-18
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system ...
PUBLISHED: 2019-06-18
A universal Cross-site scripting (UXSS) vulnerability in the Evernote Web Clipper extension before 7.11.1 for Chrome allows remote attackers to run arbitrary web script or HTML in the context of any loaded 3rd-party IFrame.
PUBLISHED: 2019-06-18
An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery prot...