First off, analytics-driven =/= data-driven
The struggle is still very real across the IT industry when it comes to terminology. So, I figured differentiating between “data-driven” and “analytics-driven” would be a good start before diving into it.
- Data-driven = is a term that refers to decisions based on a quantitative (or number-based) approach in order to arrive at results.
- Analytics-driven = is a term defined as the discovery of meaningful and valuable patterns in data (beyond qualitative analysis). It’s not simply a detection, but a furthered understanding between data and people.
The problems (and there are a few)
The number of cyber attacks affecting enterprises today is continuing to grow and make the threat landscape more and more treacherous. With the increased force of malicious actors, combined with complex environments (especially with the expansion of the Internet of Things), enterprises are lacking the manpower and resources to combat these challenges.
Detection and remediation are becoming more difficult, which means security is often reactive versus proactive.
As advanced persistent threats and other methods are progressing, hackers are utilizing techniques to infiltrate, pivot, and carry out exploits deeper inside the enterprise infrastructure. Security pros and data scientists are drowning under the speed, visibility, verification, root cause discovery, and volume of big data.
Old approaches can’t battle modern day threats
Many security programs that have been implemented in the past, and many of which are still in place, don’t account for new attack types. The reasoning behind this is that security has previously been oriented around the earlier stages of an attack, whereas today’s attacks have moved beyond those stages.
Unfortunately, there isn’t a ‘canned’ or ‘out of the box’ solution that’s going to magically make this problem go away. The necessary change to the way security is being approached is going to take careful planning, clear communication, and a lot of coordination.
So, what needs to happen?
This isn’t a matter of scrapping the old ways entirely - enterprises should still employ a multi-layered defense. However, teams need to move on from threat prevention, legacy technologies, and manually intensive processes, toward a more holistic approach.
A comprehensive and resilient security strategy means a better use of people, processes, and technologies.
In order for an enterprise to mature their security operations the following are some things that need to happen:
- Teams will have to ask better ‘big picture’ questions from the beginning
- Technology must be even more scalable and be able to perform more efficiently
- Data scientists must know how to utilize and manipulate the technology with ease
- The relationship between big data analytics and team skills will need to strengthen
Leveling up with the use of analytics
As things progress, wider and deeper insights are going to be necessary to identify emerging anomalies. One of the main goals is to eliminate so many of the manually-driven tasks that are weighing security pros down.
Analytics technologies will connect the dots faster in order to help predict patterns, identify suspicious behavior, and automate corrective actions.
With analytics-driven security and automation, the human touch of data scientists will still be necessary to confirm and/or investigate events, but will remove much of the intensive work.
Let’s talk about SIEMs for a second
- SIEM = SIEM stands for “Security Information and Event Management.” SIEM softwares are designed to collect, store, correlate, monitor, and alert on security events in real time. They also assist with the analysis, manipulation, and reporting of big data.
It’s argued by some that SIEMs are not capable of addressing the problems that enterprises are (and will be) facing. It’s indicated that SIEMS are based too much off the past, such as alerts being based off predefined schemas, and that they’re too “fixed” in nature and are therefore inflexible. However, this is usually the case with when the enterprise doesn’t have the appropriate abilities to customize them to their environment.
For teams that are capable of SIEM customization (whether they’re able to implement this on their own or through a Managed Security Services Provider like Hurricane Labs), they have a much better chance of achieving their goals and integrating the analytics-driven approach into their security program.
There are quite a few technologies out there, and more emerging, that have the mission of establishing control over enterprise security postures and providing valuable, contextual insights to teams. Splunk provides an analytics-driven security solution that has enabled teams to see patterns, automate actions, and pull it all together in regard to connecting the dots and preventing attacks.
Contextual patterns are key to empowering decision-making and automation for a more effective security posture.
One of the reasons Hurricane Labs stands behind Splunk is because this platform enables that single-pane window that gives a holistic view, ties everything together, and helps answer the questions organizations are asking of their data.
Some of Splunk's vast number of capabilities include:
- Single big data platform
- Comprehensive visibility
- Real time monitoring
- Behavioral analytics
- Rapid investigation
What are some of the factors for success?
There are a few factors organizations need to be aware of as they evolve their security initiatives. Again, clear objectives need to be defined. Without goals the coordination of information is doomed.
Another crucial component is the open information-sharing that needs to be accessible across the organization. Without information teams will be left with tactical holes and missing pieces that will prevent comprehensive security success. Finally, there needs to be a company-wide commitment to analytics-driven metrics and decision-making.
Coordination, information-sharing, and commitment are the three big areas that need to come together for analytics-driven security to triumph.
Although adopting an analytics-driven security approach will be a major challenge for many enterprises, ultimately, it’s an important part of the operational agility that will help to mature security programs and protect business-critical data.