Security Analytics Taxonomy

There’s a lot of buzz about, and interest in, security analytics. Security teams and vendors are exploring anything and everything that will accelerate threat detection and remediation, and ‘analytics’ intuitively feels like something organizations should be doing more. With the average breach taking 200+ days to detect, it sure seems like there’s room for improvement.

The challenge is nearly every security vendor has integrated ‘analytics’ into their message, so now we’re right back where we started – how do we determine what’s what? There’s even some disagreement among industry analysts, some say analytics is the next big thing in security while others say it’s been part of our solutions for years and therefore is nothing new.

Due to increasing interest from so many of our customers, FireMon commissioned Forrester to survey security organizations about their challenges, current data analysis tools and plans for security analytics. John Kindervag, a principal analyst with Forrester, and I discussed the findings in depth in this webinar, but the essence of the report is: 1) growing complexity has created new challenges in detecting and responding to threats; 2) existing data analysis solutions (i.e. SIEM) have major shortcomings; and 3) there’s growing interest in security analytics to reduce risk by accelerating detection and response.

In response, the security and IT management industries have integrated analytics into messaging and materials. Even if it’s nothing more than relabeling their existing report section to better match a prospective customer’s keyword search.

Reviewing a definition for analytics shows how the subject can be so broadly defined and interpreted. Data Analytics is the discovery and communication of meaningful patterns in IT data to improve IT and business processes. The patterns can identify changes, differences and inconsistencies that indicate an existing incident, elevated security risk or operational inefficiencies.

Such a broad and general definition forces security teams to devote significant time and effort to explore analytics products and technologies. Without a structured taxonomy to communicate their needs and evaluate solutions, we hear questions like “do you offer a dashboard?” Dashboards are built for a predefined list of questions that aren’t available for the new and unusual. Here is an analytics taxonomy that segments solutions into two specific and actionable categories to ensure organizations can prioritize the security analytics solutions they’re investigating.

Analytics for the Known – Analytics for the known include key performance indicators (KPIs) for infrastructure and services like Internet bandwidth, trouble ticket volume and application performance graphed over time. This information is commonly consumed through a dashboard, something we’ve had for years. And while there continue to be advancements, the business impact is largely incremental.

Analytics for the Unknown – The biggest net new opportunity for analytics to impact the security and operational efficiency of the business is discovering the unknown – the issues that aren’t displayed in a dashboard. We’ve heard phrases like “I need answers, but I don’t know the questions to ask.” While this might seem like hyperbole, it’s a real challenge. All the questions thousands of incredibly smart security professionals) have imagined over the years are embodied in today’s security systems (i.e. firewalls, anti-virus, intrusion detection, malware detection, etc.) and yet the adversary still finds a way in… We need answers, especially when the questions aren’t obvious.

The people that are able to find the answers without knowing the questions are in limited supply. They need tools to navigate large volumes of data, highlight relationships, groups, outliers and changes with previous observations as context. Any progress in identifying characteristics, anomalies and changes that enables businesses to find answers to the elusive security and operational incidents is potentially transformational for security teams. It needs to be fast and easy enough for our security subject matter experts (SMEs) to use without becoming data scientists.

In future posts, we’ll explore the challenges in requiring our SMEs to become data scientists to perform data discovery and exploration. We’ll also discuss the benefits of correlating security policy/configuration information with network, system and application data.