Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/15/2016
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions Security Leaders Need To Ask About Analytics

The game of 20 questions is a great way to separate vendors that meets your needs from those who will likely disappoint.

It would be an understatement to say that the security world tends to be full of hype and noise.  At times, it seems like vendors virtually xerox each other’s marketing materials. Everyone uses the same words, phrases, jargon, and buzzwords. This is a complicated phenomenon and there are many reasons why this is the case.

The more important issue is why security leaders find ourselves in this state. How can we make sense of all the noise, cut through all the hype, and make the informed decisions that will improve the security of our respective organizations? One answer is by making precise, targeted, and incisive inquiries at the outset. Let’s start with a game of 20 questions. Our first technology focus: analytics.

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons

Analytics is a topic near and dear to my heart, one with tremendous potential for information security. It seems that everyone is talking about analytics these days, specifically, security analytics. With so much buzz around security analytics, how can organizations understand what true analytical capabilities exist in a potential solution and determine whether or not those capabilities meet their needs? While certainly not an exhaustive list, here are 20 questions to help with that assessment:

  1. What problem(s) are you trying to solve? This may seem like an obvious question, but have you ever tried asking a potential vendor what problem or problems they’re trying to solve? Perhaps you will receive a clear, concise, and straightforward answer. Or, perhaps you will receive an answer that will leave you wondering if this particular vendor has any real-word understanding, operational experience, and/or deployments. 
  2. If you get an answer that make sense, does it describe a problem you are looking to solve?
  3. What data do vendors operate on? Even the greatest analytics and algorithms in the world need data to operate on; not just any data of course, but the specific data that the various analytics and algorithms were designed to work with. 
  4. Does the vendor you’re considering leverage data that you have readily available or can easily collect? 
  5. How difficult is it to get that data to the vendor for processing and analysis? 
  6. What additional bandwidth usage will you incur moving data around? 
  7. What additional cost requirements will you encounter when looking to retain the right amount of data to produce the desired results? 
  8. Will the solution be able to scale to the volume of data you need?
  9. What is the signal-to-noise ratio? 
  10. What are the costs/benefits in terms of your security organization’s efficiency, effectiveness, and workflow? 
  11. What is the cost of polluting the workflow with a large number of low fidelity, nonactionable, noisy alerts? This noise adds to the organization’s daily workload while simultaneously detracting from its ability to focus on the signal it needs to focus on.  Analytics often promise the benefit of detecting the previously undetectable. In reality, that benefit varies by solution. 
  12. What is the cost in terms of efficiency and resource-allocation of introducing a ton of noise into the environment versus the potential benefit of additional detections that an analytics solution may provide? Additional detection capabilities can quickly get washed away by a sea of false positives.
  13. How does the solution integrate into your workflow? 
  14. How open are you to introducing another tool or layer of complexity into your security workflow? 
  15. Do you need an analytics solution to integrate seamlessly into your workflow without requiring the team to learn additional skills or review additional consoles? 
  16. What amount of overhead in terms of people, process, and technology does an analytics solution require in order to function properly? 
  17. How complex is the solution to deploy and how much customization is required to get the solution up and running?
  18. What methodologies does the approach use? Lots of people like to talk about data mining and machine learning when they talk about analytics. But does a potential vendor really leverage data mining and machine learning? The dirty little secret in the analytics field is that while many solutions talk about data mining and machine learning, some of them rely on signatures and triggers behind the scenes.
  19. What will I get out of an analytics solution on a daily basis? 
  20. Will it provide me with additional detection events of interest or high fidelity jumping off points for hunting?

I believe that the data we collect on a daily basis is a treasure trove that packs powerful analytics potential. But like anything, it pays to ask the right questions. Our game of 20 questions is one strategy to very quickly separate the security analytics vendors who meets your needs from the ones who will likely disappoint.

Related Content: 

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
seoweavers
100%
0%
seoweavers,
User Rank: Strategist
9/19/2016 | 4:03:17 AM
Thanks

 

A debt of gratitude is in order for imparting this best stuff to us! Continue sharing! I am new in the website writing. All sorts online journals and posts are not useful for the readers. Here the writer is giving great musings and recommendations to every last per users through this article. Quality of the substance is the principle component of the site and this is the method for composing and presenting. Waiting for again magnificent sites or posts.

 

Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...