Security analytics could play major role in detecting breaches

by

25 April 2015

Although security spending is at an all-time high, security breaches at major organisations are also at an all-time high, according to US-based research and advisory firm Gartner.

"Breach detection is top of mind for security buyers and the field of security technologies claiming to find breaches or detect advanced attacks is at an all-time noise level," said Eric Ahlm, research director at Gartner.

"Security analytics platforms endeavour to bring situational awareness to security events by gathering and analysing a broader set of data, such that the events that pose the greatest harm to an organisation are found and prioritised with greater accuracy," he said.

According to analysis from Gartner, security information and event management (SIEM) technologies are topping the list of likely solutions. While most SIEM products have the ability to collect, store and analyse security data, the meaning that can be pulled from a data store depends on how the data is reviewed. How well a SIEM product can perform automated analytics has become an area of differentiation among SIEM providers, the report said.

User behaviour analytics (UBA) is another example of security analytics that is already gaining buyer attention, according to Gartner. UBA, which allows user activity to be analysed much in the same way a fraud detection system would monitor a user's credit cards for theft, is effective at detecting meaningful security events, such as a compromised user account and rogue insiders.

Although many UBA systems can analyse more data than just user profiles, such as devices and geo-locations, there is still an opportunity to enhance the analytics to include even more data points that can increase the accuracy of detecting a breach, said Gartner.

"Today, there are certainly commercially viable applications of analytics to better position security technologies, such as with SIEM and UBA providers," said Ahlm. "However, the applications or other problems that can be addressed for other security markets are still emerging and on the whole, the security industry is rather immature in the application of analytics."

Gartner's analysis also said that as security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis. Information about hosts, networks, users and external actors is the most common data brought into an analysis. However, the report said, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.

According to the report, analytics systems, on average, tend to do better analysing lean, or metadata-like, data stores that allow them to quickly, in almost real-time speed, produce interesting findings. The challenge to this approach, Gartner said, is that major security events, such as breaches, don't happen all at once. There may be an early indicator, followed hours later by a minor event, which in turn is followed days or months later by a data leakage event.

"Ultimately, how actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time," said Gartner’s Ahlm.

"Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualisation of that data will greatly affect adoption of the technology," he said.