Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/15/2016
02:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions Security Leaders Need To Ask About Analytics

The game of 20 questions is a great way to separate vendors that meets your needs from those who will likely disappoint.

It would be an understatement to say that the security world tends to be full of hype and noise.  At times, it seems like vendors virtually xerox each other’s marketing materials. Everyone uses the same words, phrases, jargon, and buzzwords. This is a complicated phenomenon and there are many reasons why this is the case.

The more important issue is why security leaders find ourselves in this state. How can we make sense of all the noise, cut through all the hype, and make the informed decisions that will improve the security of our respective organizations? One answer is by making precise, targeted, and incisive inquiries at the outset. Let’s start with a game of 20 questions. Our first technology focus: analytics.

Analytics is a topic near and dear to my heart, one with tremendous potential for information security. It seems that everyone is talking about analytics these days, specifically, security analytics. With so much buzz around security analytics, how can organizations understand what true analytical capabilities exist in a potential solution and determine whether or not those capabilities meet their needs? While certainly not an exhaustive list, here are 20 questions to help with that assessment:

  1. What problem(s) are you trying to solve? This may seem like an obvious question, but have you ever tried asking a potential vendor what problem or problems they’re trying to solve? Perhaps you will receive a clear, concise, and straightforward answer. Or, perhaps you will receive an answer that will leave you wondering if this particular vendor has any real-word understanding, operational experience, and/or deployments. 
  2. If you get an answer that make sense, does it describe a problem you are looking to solve?
  3. What data do vendors operate on? Even the greatest analytics and algorithms in the world need data to operate on; not just any data of course, but the specific data that the various analytics and algorithms were designed to work with. 
  4. Does the vendor you’re considering leverage data that you have readily available or can easily collect? 
  5. How difficult is it to get that data to the vendor for processing and analysis? 
  6. What additional bandwidth usage will you incur moving data around? 
  7. What additional cost requirements will you encounter when looking to retain the right amount of data to produce the desired results? 
  8. Will the solution be able to scale to the volume of data you need?
  9. What is the signal-to-noise ratio? 
  10. What are the costs/benefits in terms of your security organization’s efficiency, effectiveness, and workflow? 
  11. What is the cost of polluting the workflow with a large number of low fidelity, nonactionable, noisy alerts? This noise adds to the organization’s daily workload while simultaneously detracting from its ability to focus on the signal it needs to focus on.  Analytics often promise the benefit of detecting the previously undetectable. In reality, that benefit varies by solution. 
  12. What is the cost in terms of efficiency and resource-allocation of introducing a ton of noise into the environment versus the potential benefit of additional detections that an analytics solution may provide? Additional detection capabilities can quickly get washed away by a sea of false positives.
  13. How does the solution integrate into your workflow? 
  14. How open are you to introducing another tool or layer of complexity into your security workflow? 
  15. Do you need an analytics solution to integrate seamlessly into your workflow without requiring the team to learn additional skills or review additional consoles? 
  16. What amount of overhead in terms of people, process, and technology does an analytics solution require in order to function properly? 
  17. How complex is the solution to deploy and how much customization is required to get the solution up and running?
  18. What methodologies does the approach use? Lots of people like to talk about data mining and machine learning when they talk about analytics. But does a potential vendor really leverage data mining and machine learning? The dirty little secret in the analytics field is that while many solutions talk about data mining and machine learning, some of them rely on signatures and triggers behind the scenes.
  19. What will I get out of an analytics solution on a daily basis? 
  20. Will it provide me with additional detection events of interest or high fidelity jumping off points for hunting?

I believe that the data we collect on a daily basis is a treasure trove that packs powerful analytics potential. But like anything, it pays to ask the right questions. Our game of 20 questions is one strategy to very quickly separate the security analytics vendors who meets your needs from the ones who will likely disappoint.

Related Content: 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
seoweavers
100%
0%
seoweavers,
User Rank: Strategist
9/19/2016 | 4:03:17 AM
Thanks

 

A debt of gratitude is in order for imparting this best stuff to us! Continue sharing! I am new in the website writing. All sorts online journals and posts are not useful for the readers. Here the writer is giving great musings and recommendations to every last per users through this article. Quality of the substance is the principle component of the site and this is the method for composing and presenting. Waiting for again magnificent sites or posts.

 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.
CVE-2020-10989
PUBLISHED: 2020-07-13
An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter.
CVE-2020-10986
PUBLISHED: 2020-07-13
A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.
CVE-2019-19338
PUBLISHED: 2020-07-13
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is ...