RSA Conference 2016 logo
RSA Conference 2016 logo

With more companies adding tools that significantly increase the data flows used to analyze network traffic, a mythology seems to have been created surrounding security analytics, Anton Chuvakin, research vice president at Gartner. Rather than clarifying the situation, the media buzz about analytics instead it has exacerbated the confusion.

There is no one tool, appliance, or answer to security analytics, including the use of system information and event management (SIEM) products, he said. Similarly, there is no specific analytic technology that must be employed. Rather, he said, a more pedestrian approach can be employed using three simple questions: What data is being analyzed? What methods are being used? What problems are you trying to solve?

Many security analytics implementations have failed even though the companies did not have the wrong tools and many others have succeeded even though the companies did not have the correct tools, Chuvakin said. Often it comes down simply to solving specific problems and having the tools configured to do so.

Rather than get bogged down in the marketing hype, he said, CISOs would be better served taking a simpler and more direct approach. For example, he asked the question: How many incorrect login attempts should trigger an alert that a malicious attempt is being made on a user account? For some, he said, the number might be 10 attempts in one minute, while others might consider 100 attempts over a 10-minute period is the correct answer. The answer is that it all depends on what rules the company decides to put in place.

It all comes down to the data, the method used to analyze the data, and the use case, he emphasized. “Security analytics is a concept,” he said, and as such there is no single answer.

Chuvakin stepped through a number of approaches to security analytics, identifying pros and cons to each approach. He also addressed the ever-present question that hovers over virtually all major infrastructure issues: Do you build, buy or partner?

Often the build/buy/partner question can be addressed in how quickly corporate management wants to show a result and how much time, money and personnel it is will to commit to the challenge. For quick results that might solve a point problem but might not be the best overall answer to a company's primary goals, Chuvakin says many companies opt for the Buy approach.

One approach vendors could take immediately to help customers identify which offering might be best for their problem would be for the vendors to create a catalog of use cases that can be demonstrated in the real world. By identifying specific use cases where the vendor has hard data on the problem and the solution to that problem, users could compare one product offering from another.

Currently, he said, some products he has looked at work fine on test data but fail to perform the anticipated function on production data. “There are not enough tools to compare (to determine) which is best,” Chuvakin said. Similarly, not enough is known about security analytics to create a list of so-called Best Practices.

Ultimately, he said, security analytics comes down to how certain a company is of its analysis of the data before a technician calls up their manager at 3 a.m. to report a malicious attack.