Security Analytics Proves Challenging But Effective: Study

by CXOtoday News Desk    Mar 07, 2017


Security analytics solutions are delivering deeper visibility into organizations’ security data than ever before, but deployment and day-to-day usage remain challenging, reveals a Ponemon Institute survey commissioned by SAS.

“There has been much said about the promise of security analytics to improve security operations,” said Larry Ponemon, Chairman and founder of Ponemon Institute. “This is one of the first studies to deeply examine actual use of these solutions and identify where organizations are succeeding and struggling.”

Most responding IT and IT security practitioners believe security analytics solutions have greatly improved their organizations’ overall security posture. They said the solutions make it easier to reduce false positives and to spot and stop anomalous traffic. However, these improvements come with challenges, starting with implementation. More than half of respondents (56 percent) characterized their initial deployments as “difficult” or “very difficult.” Among them, 65 percent cited the configuration and/or tuning required to make the system usable, highlights the study.

“Nearly all solutions require initial configuration and tuning for optimal performance,” said Stu Bradley, Vice President of Cybersecurity Solutions at SAS. “Organizations can avoid many pitfalls by clearly defining workflows and project goals before starting an implementation.”

The study states that success hinges on data:

Respondents also cited data issues as deployment obstacles, with about half (51 percent) noting “too much data” and 45 percent indicating problems accessing the required data.

Even beyond deployment, a significant majority (65 percent) pointed to data challenges, top among them data quality (cited by 66 percent of the respondents), data integration (65 percent) and data volume (55 percent).

“Organizations often want to jump immediately to the analytic output, shortcutting initial steps required to get the data right,” said Bradley. “But if they don’t appropriately address the data up front, they will suffer for it later and face major challenges deriving what they expect from their security analytics solution.”

The study points out detecting the ‘right’ threats is significant:

Respondents reported gaps between threats they want their solutions to detect and those they are actually finding. They identified data exfiltration (cited by 50 percent of the respondents), adversary reconnaissance (40 percent), adversary lateral movement (36 percent), and malicious insiders/insider threats (36 percent) as most important for their security analytics solution to detect. Yet none of those are among the threats their solutions are proving most adept at detecting, which they specified as account compromise (named by 50 percent of respondents), privilege escalation (48 percent) and malware deployment or delivery (46 percent).

“When you look at these security objectives, they are all very different – and they each bring fundamentally different data into play,” said Bradley. “That speaks to the breadth and depth of analytic sophistication needed for an organization to develop all the right capabilities. Success requires a confluence of different analytic disciplines and also a carefully plotted road map for maturing analytic capabilities. With such a road map, organizations can make the most of their limited security resources.