Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/15/2016
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions Security Leaders Need To Ask About Analytics

The game of 20 questions is a great way to separate vendors that meets your needs from those who will likely disappoint.

It would be an understatement to say that the security world tends to be full of hype and noise.  At times, it seems like vendors virtually xerox each other’s marketing materials. Everyone uses the same words, phrases, jargon, and buzzwords. This is a complicated phenomenon and there are many reasons why this is the case.

The more important issue is why security leaders find ourselves in this state. How can we make sense of all the noise, cut through all the hype, and make the informed decisions that will improve the security of our respective organizations? One answer is by making precise, targeted, and incisive inquiries at the outset. Let’s start with a game of 20 questions. Our first technology focus: analytics.

Analytics is a topic near and dear to my heart, one with tremendous potential for information security. It seems that everyone is talking about analytics these days, specifically, security analytics. With so much buzz around security analytics, how can organizations understand what true analytical capabilities exist in a potential solution and determine whether or not those capabilities meet their needs? While certainly not an exhaustive list, here are 20 questions to help with that assessment:

  1. What problem(s) are you trying to solve? This may seem like an obvious question, but have you ever tried asking a potential vendor what problem or problems they’re trying to solve? Perhaps you will receive a clear, concise, and straightforward answer. Or, perhaps you will receive an answer that will leave you wondering if this particular vendor has any real-word understanding, operational experience, and/or deployments. 
  2. If you get an answer that make sense, does it describe a problem you are looking to solve?
  3. What data do vendors operate on? Even the greatest analytics and algorithms in the world need data to operate on; not just any data of course, but the specific data that the various analytics and algorithms were designed to work with. 
  4. Does the vendor you’re considering leverage data that you have readily available or can easily collect? 
  5. How difficult is it to get that data to the vendor for processing and analysis? 
  6. What additional bandwidth usage will you incur moving data around? 
  7. What additional cost requirements will you encounter when looking to retain the right amount of data to produce the desired results? 
  8. Will the solution be able to scale to the volume of data you need?
  9. What is the signal-to-noise ratio? 
  10. What are the costs/benefits in terms of your security organization’s efficiency, effectiveness, and workflow? 
  11. What is the cost of polluting the workflow with a large number of low fidelity, nonactionable, noisy alerts? This noise adds to the organization’s daily workload while simultaneously detracting from its ability to focus on the signal it needs to focus on.  Analytics often promise the benefit of detecting the previously undetectable. In reality, that benefit varies by solution. 
  12. What is the cost in terms of efficiency and resource-allocation of introducing a ton of noise into the environment versus the potential benefit of additional detections that an analytics solution may provide? Additional detection capabilities can quickly get washed away by a sea of false positives.
  13. How does the solution integrate into your workflow? 
  14. How open are you to introducing another tool or layer of complexity into your security workflow? 
  15. Do you need an analytics solution to integrate seamlessly into your workflow without requiring the team to learn additional skills or review additional consoles? 
  16. What amount of overhead in terms of people, process, and technology does an analytics solution require in order to function properly? 
  17. How complex is the solution to deploy and how much customization is required to get the solution up and running?
  18. What methodologies does the approach use? Lots of people like to talk about data mining and machine learning when they talk about analytics. But does a potential vendor really leverage data mining and machine learning? The dirty little secret in the analytics field is that while many solutions talk about data mining and machine learning, some of them rely on signatures and triggers behind the scenes.
  19. What will I get out of an analytics solution on a daily basis? 
  20. Will it provide me with additional detection events of interest or high fidelity jumping off points for hunting?

I believe that the data we collect on a daily basis is a treasure trove that packs powerful analytics potential. But like anything, it pays to ask the right questions. Our game of 20 questions is one strategy to very quickly separate the security analytics vendors who meets your needs from the ones who will likely disappoint.

Related Content: 

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
seoweavers
100%
0%
seoweavers,
User Rank: Strategist
9/19/2016 | 4:03:17 AM
Thanks

 

A debt of gratitude is in order for imparting this best stuff to us! Continue sharing! I am new in the website writing. All sorts online journals and posts are not useful for the readers. Here the writer is giving great musings and recommendations to every last per users through this article. Quality of the substance is the principle component of the site and this is the method for composing and presenting. Waiting for again magnificent sites or posts.

 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.