What Elements Are Needed for Security Analytics Success?

Tuesday, August 23, 2016

Mike Paquette


Over the course of the last 18 months, it has become increasingly evident that organizations need to do more to stop the growing epidemic of security failures and data breaches that are threatening the very ability to conduct business. Customers’ sensitive financial and personal information needs to be protected.

In response, many companies now realize they need to shore up their efforts internally to deal with the attackers that dwell on the inside for months looking for their target. In the process, the sheer number and the targeted specificity of attacks have made it clear that it is impossible for any single company’s IT department to weed through the potential problems and possible attack notifications to find the real threats. Even as they deploy next generation firewalls, endpoint detection and response products that move away from signatures to indicators of compromise (IOC) that promise to close the gap on detection and dwell time exposure, alert fatigue continues to plague many IT security teams.

In order to step up their game, businesses and organizations have been implementing security analytics technologies. The promise of security analytics is that it will do what humans in an IT department cannot – review endless amounts of data and flag what the real threats are you should pay attention to.

Not all security analytics solutions are created equal, however. There are five key characteristics critically important to ensuring that your security analytics are effective and capable of stopping today’s advanced threats.

Extreme Flexibility to Task and Data

Security analytics must be ready and willing to take on any problem presented to it. Strong and useful security analytics has to do more than security software that detects simple intrusions. It must be able to consider everything that potentially could be a problem. To do this it has to be applicable for any source of data – be that a network, device, server, user log, etc. Think a broad amount of use cases.

However, just being able to interface with these information silos is not enough. Security analytics needs to analyze several different features of the data – from metrics like response times or counts, to information coming from users, hosts and agents. It also needs to be smart enough to detect patterns like ‘beaconing’ and high information content in communication packets – and then be able to draw conclusions about them and form insights into what is actually happening and where.

In other words, to be successful, security analytics needs to be able to use every data source, data feature and potential problem laid out in front of it to detect unusual behaviors related to advanced attacks; then analyze them and present results to the user.

Speedy, Accurate, Real-Time Analysis

With true security analytics implemented, the analysis should be fast – giving results in near real-time, making the user feel like it is almost automatic. Speed in processing of data is important when it comes to security issues – as any delays in identifying problems can be quite costly for companies, especially when an active data breach is occurring.

At the same time, while speed in processing is very important – it is second to the most important element of security analytics processing: security analytics needs to understand what it’s looking at and draw conclusions about what is important to the end user.

With an ever-increasing amount of cyberattacks to worry about, it is easy to see how IT managers are overburdened with alerts that flag a potential breach or other issue that needs attention. Many of these issues are not breaches or problems that even warrant immediate (if any) attention; but with most security software that looks at signatures or ill-defined IOCs, everything is flagged so that nothing is missed. This clearly works in the advantage of the attacker that hides in the noise of the environment it is operating within. With alert fatigue being a dominant complaint, it becomes harder and harder for analysts to see through the waves of alerts many advanced detection products emit.

Learns from the Past, Applies to the Future

Here is where machine-learning technology often enters the discussion. There are limits to what typical security tools and a single human end user can accomplish. There are only so many hours in the day to review alerts or notifications – and once you start self-selecting which ones seem important, you are already increasing the possibility that you miss a critical notification. Furthermore, while many companies deploy rule sets within their SIEM to aid in the filtering of highly relevant events, these are limited to a static understanding of “what is problematic” and not nearly as dynamic as a mechanism that could look to identify anomalies based on detected patterns from baselines.

Machine learning helps security analytics take the analysis of potential issues a step beyond seeing something and saying something. With machine learning technology in place, security analytics can now see something, correlate its significance and then ensure that it is only identifying the most important items based on probability scoring on the data.

Machine learning is a critical part of most security analytics – it can recognize and understand patterns, periodicity of data and anomalies within the data, learning from each instance what is a normal behavior and where the outliers are. This helps make it possible for the IT manager to know to act on every alert received based on the analytical scoring relevance – instead of hoping he or she selected the correct ones.

Ability to Scale

Security analytics should have an ability to grow and scale with organizational growth. As businesses become more established and achieve greater levels of success, the amount of data they generate, the amount of customers they have and the size of their operations all grow. This means that the probability of being “targeted” by cybercriminals or hackers grows as well. However, it is not always the biggest customers that are hit first or most often, it is the ones that are the least prepared to prevent and detect the attackers the best.

Security analytics needs to be able to handle all of these instances and scale as required. An increasing amount of data should not faze strong security analytics solutions. On the contrary, more data should add context to an attack and lead to proper identification of an attacker techniques. 

Ease of Deployment and Understanding Results

This last item could easily be separated into two, but they are two sides of the same coin. There are an increasing number of security analytics-based products on the market, with many new entrants coming from adjacent parts of the security space that incorporate analytics (many times because they generate too much data to be useful). Ease of deployment and understanding results comes down to achieving value on the analytics performed.

It is increasingly important to be able to deploy ready-built and defined “recipes” that are relevant to detect intrusions as part of security analytics. This can be a bit of an iterative cycle to “tune” to the kinds of customer data present, but a successful solution will be the one that is the most flexible and aids in the tuning process.

To utilize security analytics, the results need to convey things like attack progression and classification of threats that fit in with the vernacular of the users. This aspect is often lost or left for the customer to consume and display into his/her own dashboards. The assumption made by many vendors is that there is an army of data scientists on staff at each customer that can utilize the results to “tell the story” to the security analyst. This is simply not the case. Therefore, you should look to shorten the time to value and deploy smart, highly tunable security analytics that speak the language of your security team.


The importance of security analytics cannot be overstated, especially as data breaches, unfortunately, continue to dominate the headlines each day and attackers come up with new, targeted means to circumvent prevention technologies. This is why, to be successful, you first have to understand the key elements of security analytics – to make sure what you implement will check off all of the boxes that should be checked off, and you’re not left wondering why your analytics solution isn’t finding everything it should. By implementing a security analytics solution that closely aligns with the five elements above you will be in a better position to short circuit the next attack on your business.

Possibly Related Articles:
Cloud Security General Enterprise Security Breaches Vulnerabilities
IOC security analytics data breach machine-learning
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.