The Role of Security Analytics in Information Security Programs
18 infosec pros and analytics experts reveal the role of security analytics in information security programs today.
Big data and analytics are impacting every industry in the modern landscape, and the security field is no exception. Analytics have tremendous promise in aiding ongoing enterprise efforts to identify anomalies and mitigate security breaches and cyberattacks before hackers are able to access systems and carry out malicious activities, or at least before too much damage is done.
To gain some insight into how organizations are making use of security analytics today and the role that security analytics should be playing in modern information security programs, we reached out to a panel of security professionals and analytics experts and asked them to weigh in on this question:
"What role should security analytics play in information security programs today?"
Meet Our Panel of Security and Analytics Professionals:
Rebecca Herold has more than 25 years of IT, infosec, and privacy & security experience. She is the CEO and founder of Rebecca Herold & Associates, LLC, also known as The Privacy Professor, and the president and co-founder of SIMBUS360. Herold was an adjunct professor for the Norwich University MSISA (formerly MSIA) for 10 years and has authored 19 books. She has led the NIST Smart Grid privacy group since 2009 and has been an officer for the IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group since 2015.
"Many organizations do not use security analytics to its full capabilities; often the analysis is relegated simply to identifying network attacks..."
However, this is only one subset of the types of security analytics that should be deployed. Security analytics provides insights into how well security programs are working. It can also help identify problem areas and can warn of imminent or active attacks.
Without proper security analytics, organizations create a blind spot for those responsible for information security program management.
Here are a couple ways security analytics should play a role in each of the three primary areas of information security:
How long has it been since the information security policies, and supporting procedures, have been updated? The longer it has been, the more likely there have been changes in the business environment that would have necessitated an update of the policies/procedures. If it has been more than 12 months since reviewing the policies/procedures, they will more than likely need to be reviewed and possibly updated.
How many workers/employees participated in the most recent general information security training class? If less than 95% (although 100% is ideal) then there is a significant gap in understanding and awareness that could easily result in a security incident and/or privacy breach as a result of a mistake, negligence, or malicious intent. Employees need frequent, new and relevant information security training.
When was the last time network systems were updated to patch vulnerabilities and security holes? When was the last time systems patches were released? Generally, if the time between the release and the date that the patch was applied is greater than 1 day, the organization is putting itself at unnecessary risk. This could also potentially be viewed as negligence in a civil suit or a regulatory violation that may be applied if a breach occurs during that gap.
How many computing and storage devices are attached to the business network? If this number cannot be determined, then the information security program manager will not be able to effectively identify, and then mitigate, the security risks to the business that exist throughout the network.
How many individuals at your outsourced managed systems provider (MSP) have access to the servers and other devices that are used for your business processing? Do all these individuals have a validated business need to have such physical access? The larger the number, the greater the risks to your business.
How many workers use their personally-owned computing devices for business purposes? The greater the number, the greater the risks, necessitating strong compensating controls.
Pieter VanIperen is a Founding Member of Code Defenders, a collective that protects the long tail of the internet, an Adjunct Professor of Secure Code at NYU, a Certified Penetration Testing Engineer (Ethical Hacker), and a Certified Secure Web Application Engineer. He has 15 years of of experience as a programmer and security expert. He is currently a resident software architect and secure coding expert for a major online discount brokerage. He has also consulted for multiple financial, insurance, and law enforcement institutions. He has worked in over 20 programming languages and is the author of the HAZL coding language. He has also served as the CTO of several digital companies and has advised multiple startups.
"Security analytics and security pattern analysis tools should be a part of the tool set in information security programs..."
Analytics help to guide professionals to see where real world threat vectors are originating from and can help prioritize the order in which infrastructure and code is patched and hardened. Analytics, unlike pen tests or other analyses, demonstrate the patterns of attempts and also the patterns of actors, which gives professionals the opportunity to use the intelligence to defend and/or honey-pot attacks.
I think intelligence is a good metaphor. If we look at cyber security like an ongoing war, analytics can tell us what base the enemy may be looking to attack next and where to deploy additional protection or where to deploy a response while a base is under attack.
Analytics like all tools though should not be overly relied upon. Ignoring other, less common vectors will increase your overall attack surface and over time make you more vulnerable. So in short, analytics can help you prioritize actions based on what you are most likely to face first.
Rick Deacon is the CEO & Founder of Apozy, a YCombinator backed cybersecurity company aimed at stopping phishing and malware in the browser while creating a real-time browser forensics and incident response platform. Rick became a security professional early on hacking into Fortune 500 companies and securing their networks.
"Security analytics are a critical piece of any well thought-out infosec program..."
The proper analytics can help companies find proper security direction and make decisions that impact the future of their information security program as a whole. The caveat is that improperly planned analytics can generate extra work and yield negative results. Security analytics do a few things very well:
- Show value to department heads and executives.
- Help forecast and steer budgetary decisions.
- Define an overall security posture.
- Create extra work.
Create a good balance between the 4 and you're golden!
Michael Fimin is an accomplished expert in information security, CEO and co-founder of Netwrix, a provider of a visibility and governance platform that enables control over changes, configurations, and access in hybrid cloud IT environments to protect data regardless of its location. Netwrix is based in Irvine, CA.
"Creating an effective security program is a challenging task..."
Practice shows that organizations have to develop a security program in accordance with individual characteristics of their IT environments, as well as peculiarities of business processes and types of sensitive data they store. Therefore, while all organizations have to defend against outsider and insider threats, they might need different sets of instruments and different approaches to combat cybercrime.
Security analytics and related technologies (e.g., user behavior analysis and risk mitigation solutions) can become a solution for organizations that would like to strengthen their security policies and be more proactive in their cybersecurity efforts. By implementing user behavior analysis, organizations will be able to receive the most relevant information about what's going on with business-critical data, how employees interact with sensitive files, and what are the security gaps, including elevated privileges, or overexposed data. Visibility into user activities that do not fit the norm, as well as the ability to receive alerts on threat patterns that pose risk to data integrity, can enable companies to increase the effectiveness of their security programs and develop them accordingly to fit their security agendas and resolve compliance issues.
Mihai Corbuleac is a Senior IT Consultant at ComputerSupport.com LLC – an IT support company providing professional IT support, cloud and information security services to businesses across the United States since 2006.
"In today's society, it's all about security analytics..."
The number of threats to information security increases on a daily basis. Protecting informational assets is crucial, and this is why I believe that an information security program that is not based on comprehensive security analytics represents a major vulnerability. There are standards that should be followed to establish an information security program (ISO 17799, ISO 27001) and there can be no information security program without a system security plan. The latter should be based on accurate and business-specific security analytics. Both general and threat-focused security analytics are required.
Ashwin Krishnan is a technology industry expert with over two decades of experience in cybersecurity and cloud technologies. The author of Mobile Security for Dummies, Ashwin is currently a Senior Vice President of Products and Strategy at HyTrust, a late stage security startup. He regularly contributes to publications like CIOreview.com, SDxcentral.com, Virtual-Strategy.com and others. His speaking engagements include Mobile World Congress, RSA Security Conference, VMWorld, Telecom Industry Association, and Product Camp Silicon Valley.
"Security analytics will play a much more important role in the future than it has done so far..."
Why? Thus far, the carbon life form is always typically inserted in the SOC where the most sophisticated analytics via SIEM tools and others results in a human decision to be made. This does not scale. The attackers are using machine learning to their advantage – lots of talk on this at the most recent BlackHat conference – which day, which vertical, which subgroup is likely to succumb and use that to phish as an example. Conversely, they stop targeting other days, times, and groups with low success rates. The defenders have to automate intelligently as well. Even more ignored is the insider accumulation of privileges. A fat finger of a year ago is a much fatter finger today and the damage that a Snowden caused 10 years ago would be much greater today because of the gradual accumulation of privileges due to day-to-day operations of fewer people with more privileges, or even the innocuous vacation and the redistribution of rights that are never revoked. Security analytics is critical here, too, to constantly assess these sorts of issues and auto remediate.
David R. Lee
David co-founded Kastling Group and serves as the Chief Operating Officer. He specializes in the implementation of web technologies and their integration with legacy systems. He is a trusted expert in enterprise software architecture, custom software implementation, and automated testing. He received his B.S. in Electrical and Computer Engineering from Carnegie Mellon University.
"Security analytics should be used to continuously enhance information security programs..."
Having strong analytics will not provide fail-proof protection as there are always zero-day vulnerabilities exploited every day. There is no impenetrable wall especially in enterprise systems that utilize a conglomerate of applications on the web, but analytics should be used and will help to continuously find and remediate and, more importantly, predict and prevent attacks.
Bill Ho is CEO of Biscom, a leading secure document and messaging solutions company that enables firms to share and store documents securely. Over his 20-year career, Bill has worked closely with various companies in the healthcare, financial services, government, and legal spaces.
"A few years back, Big Data began to gain attention because of..."
The realization that the amount of data being generated and collected through massive growth in Internet traffic could be analyzed and used to predict trends, understand user behavior, and better target advertising.
Today, security analytics is a growing field aimed to find that data needle among the stack of many. The trick is to use analytics algorithms (AI being the newest buzzword) that can sift through server and application logs, endpoint data, and other traffic, integrate that data, and then try to detect odd patterns or suspicious behavior, all in real-time.
Network security is always a game of one-upmanship. Security analytics can help organizations trying to stack their blue team against the red teams out in the wild. Continuing to add to defense in-depth strategies is critical as threats evolve and improve. Like any single security solution, security analytics tools aren't the holy grail of protection, but I believe they soon will be part of the standard for companies.
Sheila Lindner is the President of Octacom, a leading provider of outsourcing solutions for large-scale businesses and organizations. Octacom is a leader in providing secure cloud and data management solutions for a variety of industries.
"With the frequency and sophistication of cybersecurity threats continually on the rise..."
Big data security analytics can be a powerful tactic to prevent cybersecurity attacks in your organization. With cyber attacks becoming more and more sophisticated and complex, big data offers a stronger, quicker tactic for detection of attacks. Big data allows your team to run analytics on past and present operations incorporating all digital assets, providing an opportunity to identify small changes that could turn into big problems if left uninvestigated.
Mr. Karimi brings 27 years of engineering, professional services, business development, marketing and sales experience at both private and public companies to Beyond Security, including successful business and product leadership roles at SCO, 3Com, nCipher, Deepnines, OPSWAT, Fortinet and Bitdefender. At 3Com, he was the pre-standard product manager for 802.1X, 802.1Q and 802.1p technologies. In the past 15 years, his focus has been exclusively in the security space covering diverse areas of cryptography, strong authentication, vulnerability management, malware threats, as well as cloud and network protection. Hamid holds a Bsc. in electrical and computer engineering from San Francisco State University.
"As security threats increased exponentially, manual intervention could no longer scale and as always..."
Man sought the assistance of machines both in the forms of User and Entity Behavioral Analytics (UEBA) and machine learning to distinguish between authorized activity and security beaches within an IT infrastructure. Security analytics rely on big data collected through various means to make sense of an anomalous activity, and yet the eventual interpretation depends on human intelligence. We have seen such analytics at work in the systems controlling US and Russia's nuclear arsenals. We also have empirical data showing that despite all the safeguards, systems can fail and indicate the existence of a phantom nuclear attack. Fortunately in cyberspace, the consequences of machine failure is not as catastrophic and can be measured by dollars and cents. One has to recognize that for Information Security Programs, Security Analytics is a tool in the hands of a human operator and in the end, man overcomes the machine. While some industries use this method to identify trends for commercial purposes, for a typical IT organization, the tools aim to separate normal and breaching behaviors. It would be naive to assume that even the most effective Security Analytics tools can replace best practices in both software and hardware development cycles. In the end, we cannot rely on adherence to best security practices by human actors just as reliance on machine intelligence for full protection is foolish. Organizations of all sizes must make sure they deploy applications that are hardened against all known and unknown vulnerabilities and augment the approach by deploying security analytics to stay ahead of trends to minimize their attack surface.
Shea Drake lives near Silicon Slopes in Utah, keeping up on technology, business, and the increasing role it plays in our lives.
"Security analytics is like Big Brother, but better..."
It's not really a matter of discussion. Every company should invest in some form of analytics. It identifies patterns as they're happening, and I think we'll see this importance increase as hackers become more sophisticated in their attacks. (True Story) I worked for a B2B company where an employee had opened a PDF file (as it was routine to receive them from vendors and businesses), and it had a version of CryptoLocker in it. Thanks to the security analytics set in place by the IT manager, it was identified and stopped before it could spread to the entire network. While one employee lost a day of productivity as their computer was cleaned, it saved the company potentially millions.
It's the gatekeeper, 24/7. Humans can miss things occasionally, but security analytics can essentially freeze what happened at the moment of an attack so the IT professionals can reverse engineer what happened to prevent it again.
Use it in conjunction with cloud storage for best benefits. The story in the first bullet point? The company had cloud storage, so even with having to provide a full system restore to the infected computer, all saved files and information were in the cloud anyway.
Ian McClarty is the President at PhoenixNAP Global IT Services.
"Analytics are key to security..."
As the complexity of IT networks has grown, the inventiveness and sophistication of cyber security threats and attacks has grown just as quickly.
Two of the more prominent trends in the IT world we are seeing are the continuing growth of cloud computing and the increasing use of data analytics as a valuable business tool. Both of these areas play a prominent role in information security efforts. The true value of big data insights comes from driving action with business teams. You need operational capabilities that can sift through your data, find the right signals and then trigger the right actions.
Steve E. Driz
Steve Driz is the President and Chief Architect at The Driz Group. He is a hands-on, strategic and visionary Cyber Security, Information Systems & Technology leader with over twenty years of comprehensive experience in bridging business and technology. He consistently develops new strategies delivering cost effective enterprise solutions aligned with strategic objectives and has hands-on expertise overseeing machine learning enterprise-class (Fintech) application design, development, security and compliance. He's a NIST framework implementation expert and Blockchain evangelist, characterized by others as an expert in Enterprise Application Security & Compliance, including SSAE16 SOC2 & PCI DSS, Web Application Security, DDoS Protection and Agile Software Development methodology.
"At present, most companies rely on outdated log analysis and alerts to get an insight into the state of the cyber security threat intelligence program..."
Security analytics are needed to serve as a foundation that helps make informed data protection decisions faster and with better precision. For example, an analytics report may identify and correlate an attack vector that would not be visible to security and IT teams under normal circumstances. The main reason is that both teams often spend a lot of time chasing the vulnerabilities and patches, with less time for analytics.
Peter Carson is the Founder and President of Extranet User Manager. He brings over 20 years of experience in technology consulting, certified engineering skills, database design, and application development – combined with strong communication, analytical planning, and business skills.
"Every company's security program has different threats..."
There's no one rule or one guideline to watch out for. Using security analytics can help you see what threats your business faces and should be reviewed frequently to identify new threats and to update your programs accordingly.
Brian Berger is the executive vice president of commercial cybersecurity for Cytellix. He is responsible for 24/7 system management and business operations, as well as marketing, development, sales and engineering support of the cyber team and its solutions. With more than 28 years of experience in device security, IT, data analytics, and corporate leadership, Berger has led the successful development of strategic engagement agreements with multibillion-dollar cloud service providers, securing significant contracts in data encryption, authentication, network security, cloud, analytics, and embedded hardware security.
"Security analytics are a critical capability to understand behaviors and changes to an organization..."
As cybersecurity is an ever-changing landscape, the ability to understand changes in real-time is needed to understand an organization’s security posture. Security analytics can provide this real-time capability.
Jon LeRoux is the Co-Founder and CEO at TurtlePie Solutions in Tulsa, OK.
"Security analytics should empower your security and IT teams in two key ways..."
First, they should play a role in keeping your teams up-to-date on current threats and emerging trends in potential security vulnerabilities. We invested early on in real-time monitoring of our client's servers for penetration attempts from outside sources. It allowed us to understand what actions to take, where the vulnerabilities were, and how to quickly propagate the patch that fixed said vulnerability to all of our client's servers as well as our internal network. This was pivotal during the more recent POODLE and Heartbleed attacks.
Second, they should empower your security and IT teams to inform the creation and updating of in-house Standards of Practice (SOPs) and company policy. After a threat has been identified and fixed, the very next step should be to establish how to prevent that vulnerability from occurring again and to get it chiseled into corporate policy. This helps ensure that the company, as a whole, is aware of the vulnerability and knows how to guard against it at every level and helps ensure that future hires don't fall into a similar misstep.
Lindsey Havens works at PhishLabs, a company that provides 24/7 services that help organizations protect against phishing attacks targeting their employees and their customers.
"Security analytics play a valuable role in providing a comprehensive view of activity on a network..."
An SA system looks at various types of IT telemetry from across the enterprise, and then compares it to the correlating and reporting functions of SIEM. It can then allow operations to perform malware analysis, check for data leakages, and gain visibility into endpoints. Through analysis, IT professionals can combine and integrate all of these variables to create a security platform with investigative capabilities.
Pablo Garcia, CEO of FFRI North America, is a cybersecurity subject matter expert with over 17 years of enterprise management experience. He has expert knowledge of the network security landscape, including advanced malware detection, breach detection, network forensics, penetration testing, and risk and compliance.
"Security analytics has made the progression over the last few years to security automation and orchestration..."
AI plays a big role in this process to find track and resolve potential security issues much quicker. The end game for a lot of technologies is the ability to automate the role of the tier 1 analyst. If the analyst can focus on tier 2 and tier 3 events, it's time well spent. The ability to shorten the time gap from time of discovery to resolution is key.