Security analytics has gotten a lot of attention in the industry the last few years. That’s not surprising. After all, security analytics can help organizations:
- Transition from reactive threat firefighting to proactive security risk management.
- Exploit all available security data to develop better insights and priorities.
- Maximize the effectiveness of limited and over-stretched security resources.
- Extract more value from existing security investments.
What is surprising is the degree of skepticism surrounding security analytics that’s been emerging. We saw this at this year’s RSA Conference. Maybe it’s because all the previous hype made security analytics seem like a plug-and-play panacea, and organizations’ security analytics experiences did not measure up.
We wanted to know. SAS sponsored research with Ponemon Institute to evaluate organizations’ security analytics experiences – where they have succeeded or met with roadblocks.
Ponemon surveyed 621 IT and IT security practitioners involved with security analytics in their organizations. Most had personally been using security analytics, and the overwhelming majority of those organizations had fully implemented solutions.
Some of the key findings explain why organizations have found their security analytics experiences challenging.
Most were already under the gun from the start
When asked what prompted adoption of security analytics, 68 percent of survey respondents said it came after they had been hit by an intrusion or cyberattack, 58 percent said it was triggered by concerns about becoming a victim of a successful intrusion or cyberattack, and 44 percent were responding to compliance demands.
No matter how swiftly they could implement security analytics, they were behind the game from the start.
Their security analytics experiences got off to a rocky start
More than half of respondents said it was “difficult” or “very difficult” to deploy security analytics in their organizations. The top complaints:
- “Out of the box” proved not to be; 56 percent of respondents said their packaged solutions required extensive adjustment and tuning.
- Organizations were inundated in data yet scrambling for it. Fifty-one percent of respondents said there was too much data to deal with, yet 45 percent said they had issues getting access to the required data.
Data deficiencies persist
When asked to identify up to four of the most critical barriers to success, 65 percent pointed to data challenges, the top response. Respondents had concerns about data quality, data integration, data volume, access to data from elsewhere in the organization – and to a lesser extent, about data velocity, complexity, storage, latency and variety.
With questionable or insufficient data going into the process, even the best security analytics can’t deliver the best results.
Where security analytics did score big
Many present-day security analytics tools are reducing the number of false positives, which in turn reduces futile work for analysts. Most respondents reported having difficulty seeing and stopping anomalous traffic before implementing security analytics; the numbers dropped in half after implementing security analytics.
Overall, organizations are benefiting from security analytics; 61 percent consider security analytics critical to their cyber defenses, and 71 percent expect to expand its use over the next year.
Four keys to success
With a few changes to the game plan, organizations can have better security analytics experiences. The Ponemon Institute report offers three recommendations to pave the way:
- Be proactive. Don’t wait until your organization has a serious cyberattack to explore security analytics. By proactively adopting security analytics to complement your existing defenses, you have time to figure out how it will best fit into workflows.
- Focus on data first. Determine up front how the data is to be sourced, how often it’s available, with what provisions for data quality and integration, how you will use the data, and what level of detail will be stored for how long.
- Get insights when you need them. “When it comes to seeing security threats in your network, every second counts,” states the Ponemon report. “As revealed in this study, respondents say they prefer to have solutions that analyze data present updated results in real-time or every few minutes.”
We would add one more strategy: Embrace multi-layered, advanced analytics. While there was some doubt expressed at this year’s RSA Conference about machine learning, 74 percent of Ponemon survey respondents “agree” or “strongly agree” that machine learning is beneficial.
Machine learning automates analytical model building. As models are exposed to new data, the algorithms independently get smarter, learning from previous iterations and delivering more accurate results. It’s easy to see the value of machine learning to keep pace with evolving cyber threats.
For more information on organizations’ security analytics experiences, read When Seconds Count: How Security Analytics Improves Cybersecurity Defenses.
And for more information on data management in cybersecurity, read Stronger Cybersecurity Starts with Data Management.