What CISOs Must Know About Security Analytics

by Sohini Bagchi    May 18, 2016


Security analytics has garnered a lot of attention in recent years. However, marketing hype and misunderstandings regarding security analytics have made it difficult for CISOs and risk leaders to make informed decisions. In a recent conversation with CXOtoday, Kartik Shahani, Country Manager for RSA, the Security Division of EMC explains the importance of security analytics and its benefits to organizations when leveraged effectively. Shahani also throws light on the findings of a recent survey conducted by Forrester Consulting that established the case for the need for security analytics as the new technical foundation for CISOs to create reliable and responsive cyber security strategy.

In the current cyber threat landscape, which is extremely complex, how do organizations prepare and protect themselves against any kind of attack?

CISOs must evolve their tool set and capabilities to keep up with the mutating threat landscape. The greatest threats to any organization include malware, phishing, and network intrusion. Organizations must make the right technology and personnel investments, guided by a fully formed detection and response strategy. Most CISOs and security professionals rely on SIEM (security information management) solutions as the primary tool to aggregate information from their enterprise to help identify abnormal behaviour that could be evidence of an intrusion, which are not sufficient. Hence, mature organizations are moving to security analytics (SA). According to a recently released Forrester report, over two-thirds of high-maturity organizations regularly use an SA system to improve their understanding of the impact of threats, compared with only 30% of lower-maturity organizations across the globe.

You’ve just mentioned that most organizations are still using SIEM. What are its limitations? What would be the right alternative?

An effective security strategy employs robust prevention tactics but also takes intoaccount that determined, well-armed adversaries can work around even the latest and greatest preventive controls. Going by that SIEM is currently one of the most commonly used technologies, but it provides an incomplete picture of security-relevant activity in a typical enterprise and must be augmented with tools that provide additional visibility and analytics. When SIEM hit its stride as a security monitoring solution in the early 2000s, collecting security data logs, aggregating them in a central repository, and conducting trend and correlative analysis was sufficient. However, as threats became more sophisticated and businesses stored higher-sensitivity data on more systems, thus requiring increased monitoring, the amount and type of data and analytics needed to keep SIEM solutions useful has overwhelmed it.

In this regard the Forrester report notes that sometimes SIEM sometimes fail to detect unknown threat. SIEM is also neither equipped to conduct the analytics necessary to identify an exfiltration as it is occurring, nor is it able to determine post-facto what data may have been exfiltrated. Finally, SIEM tools are typically deployed to look at the perimeter of the network, yet this mentality can expose organizations to great risk. 

Security analytics is therefore, the right alternative as it is a new technical foundation of an informed, reliable detection and response strategy.

What are the advantages of security analytics? What CISOs must understand before deploying security analytics tools and practices?

Security analytics will not only help identify events that are happening now, but will also assess the state of security within the enterprise in order to predict what may occur in the future and enable more proactive security decisions. As the Forrester report notes one of its biggest advantages is that the system takes multiple types of IT telemetry from across the enterprise, as well as the correlating and reporting functions of SIEM, detection capabilities of malware analysis, data leak protection, network analysis and visibility (NAV), and endpoint visibility, behavioural analysis, and investigative tools from the forensics world.

It combines and integrates them to provide security analysts a platform with both enterprise-scale detection and investigative capabilities. Moreover, IT will not only help identify events that are happening now, but will also assess the state of security within the enterprise in order to predict what may occur in the future and enable more proactive security decisions.

The survey also shows that mature organizations are further along the path toward benefitting from their SA deployment compared with their lower-maturity peers, as demonstrated by monitoring assets under attack, more reliable risk assessments as well as greater application support. 

While security analytics promises to deliver great insights in the battle against cyber threats, the concept is still immature in terms of adoption. When do you see it becoming mainstream say in a country like India?

Today there is a significant awareness amongst CISOs and CIOs on security analytics and its benefits. However, for analytics to take over, there is a minimum requirement of data to be collected, which in several organisations it hasn’t reached the required level. Currently, in India companies (smaller ones) are still in the process of implementing SIEM or have just finished implementing SIEM for log collection and monitoring data. SIEM has become a necessity from a compliance point of view. As these companies move up the maturity curve in their log monitoring and reach a certain mass of data they will automatically move to the next level – data analysis. To reach the critical mass most companies will take a least a few years and till that time it will be difficult for SA to become main stream. 

What are your business roadmap for India market in 2016?

RSA India’s focus is on the technology and we call them our growth technologies Security Analytics, Archer GRC, VIA L&G and VIA Access. The foundation products like fraud and risk Intelligence (FRI) and SecurID will continue to grow and get renewed attention. Our major vertical segments will continue to be  BFSI, government, IT/ITes, telecom, and other large corporates. On the partner front, RSA will be enabling partners to deliver on deployment to help us address the larger market in the country.