A lifecycle approach to security analytics
Where organizations stand, what needs to change and how to go about it
By Stu Bradley, Vice President of Cybersecurity Solutions, SAS
Against a constantly shifting cyberthreat landscape, many organizations are tackling the challenge of security analytics with niche tools, out-of-the-box analytics, incomplete or subpar data, and ad hoc processes. But the result is going to disappoint.
A January 2017 Ponemon Institute report based on a survey of 621 IT and IT security practitioners found some disheartening realities about how organizations are positioned to defend against cyberattacks. Some key findings:
- There is high reliance on internally developed tools. Half of the organizations use in-house tools with a data lake, even though such tools lack the adaptability and scalability to handle evolving cyberthreats.
- “Out-of-the-box” solutions are anything but. Fifty-six percent of respondents said their packaged solutions required extensive configuration and adaptation before they could be used.
- Data is a fundamental challenge. Half of respondents said they struggled with too much data, and 45 percent said they had issues with data quality or getting all the data they needed.
The inherent challenges of security analytics
Security analytics is a complex proposition. Take a look at the top objectives named by respondents in the Ponemon survey:
- Detect security events in progress.
- Conduct forensics on past security events.
- Provide advance warning about potential internal and external threats and attackers.
- Prioritize alerts, security threats and vulnerabilities.
These objectives are all very different – and they each bring different data into play. That speaks to the breadth and depth of analytics sophistication needed for an organization to develop all the right capabilities. Success requires a confluence of different analytics disciplines but also a carefully plotted road map to mature security analytics competency. With such a road map, organizations can make the most of limited security personnel.
The Ponemon research tells us this has not been happening. For the most part, organizations have not done well aligning their security solutions to objectives – or at least have had trouble succeeding at it. For example, detection capabilities don’t measure up to expectations for all four of the most important security tasks respondents cited – data exfiltration, adversary reconnaissance, adversary lateral movement and insider threats. Even where current security solutions are showing the most promise – such as for detecting account compromise, malware and privilege escalation – they are only doing the job for 40 to 50 percent of respondents.
These results raise the issue that current security analytics approaches have not been effective, and the market needs to rethink traditional approaches to the data and analytics.
When Seconds Count: How Security Analytics Improves Cybersecurity Defenses
With more organizations adopting security analytics as part of their cybersecurity strategies, Ponemon Institute conducted survey research to determine the experience and impact to security postures. The report concludes the findings from the research, with citations on deployment, use and effectiveness of these solutions.
Ponemon Institute Report
A lifecycle approach to security analytics
The Ponemon report is a call to action for the marketplace to take a more proactive and holistic approach to data and analytics to get the results organizations are expecting. Addressing the challenges calls for a lifecycle approach – one that doesn’t just focus on data and algorithms. What’s needed is a consistent, governed process for deploying analytics. And the analytics must be consumable across a broad range of resources.
The security analytics life cycle can be visualized as two closed loops around discovery and deployment, with the following stages.
Ideation
At this stage, stakeholders generate ideas, assess the challenges, determine what questions security analytics should answer and what data may hold the answers. Ideas may come from amassing, visualizing and mining the data. They may also come from external notifications about emerging threats.
Data preparation
Organizations often want to jump to the analytics and shortcut the basics of getting the data right. If they don’t address the data upfront, they’ll suffer for it later.
The prevailing concept of a data lake is insufficient. It’s not enough to store and analyze massive amounts of security data after the fact. That’s a huge technical challenge, requiring massive processing times and delaying results. There needs to be a process to enrich the data for analysis before it’s stored. This approach provides more context and identifies more subtle behaviors.
At this stage, security analysts work with other stakeholders to source the data, establish a time frame, provide data quality and integration, and plan how to serve the data to answer critical questions.
Exploration and visualization
Data utilities enable users to explore and visualize security data, begin to understand connections among influential variables, and make determinations from that data. This process can be done in a very user-friendly way in an intuitive visualization that doesn’t require the skills of a data scientist. At this point, users generate data-driven hypotheses that are passed to the next stage.
Threat modeling
Users now actually get their hands on the data, start to mine and define the data, and create the analytic models that will help solve the challenges identified in the ideation phase.
Simulation and validation
Once a series of models has been created, the models are simulated across past data and the outputs tested against past known outcomes. This process pits champion and challenger models against each other to validate them and determine which models will perform best in the production environment.
Model deployment
The best-performing models are deployed. These models must be flexible enough to be deployed in multiple different run-time environments – batch and real time – and to adapt to reflect ongoing flux in the security environment.
Monitor and evaluate
Once deployed, models must be monitored and evaluated to track their ongoing efficacy. Ideally, this cyclical feedback process works to broaden and deepen the data sources, feed new insights back into the ideation phase, and continuously improve your security analytics.
Keep evolving
Cyberthreats are always adapting, and so are the data and analytics to detect and deflect them. Tomorrow’s channels and attacks will be different from today’s. Data sources evolve and multiply. Analytical methods improve. A successful security analytics program has to be in motion, comfortable with change, and able to cope with the surprises and challenges that will inevitably arise.
It’s a difficult challenge. But building sophisticated analytics ultimately pays off in improving organizations’ abilities to detect, investigate and respond to security events in a reliable, repeatable way.
An organization could solve for each security objective individually, but the real task at hand is to assemble the breadth of data and analytics capabilities that is required to resolve all the top objectives. This is not a reactive, one-off project, but one guided by a carefully prioritized road map.
By Stu Bradley • Vice President of Cybersecurity Solutions • SAS
Recommended reading
- Article A cybersecurity framework: Six steps to empowering your analyticsAre your cybersecurity tools leaving your organization vulnerable? A career risk management professional/college professor explains why and what to do about it.
- Series A modern cybersecurity strategy: Building a cybersecurity planThe main considerations of a foundational component of a cyber strategy: the cybersecurity plan.
- Interview Five steps you can take to beef up cybersecurityAnyone with Internet access and programming skills can invade a country or bring down a corporation. Cybersecurity expert Ray Boisvert shares five actions organizations can take to defend against cyberattack.
- Article Fighting cyberwars with cyberanalyticsMike McConnell, former US Director of National Intelligence, told the US Senate, “If the United States were at cyberwar, it would lose.” If that is even remotely true, cyberdefenders need to be outfitted with the most effective weapon for winning the war – analytics.