Security professionals are dealing with an increasing number of advanced and persistent threats. The reality is that they often cannot assess and respond to these threats effectively and in a timely manner, and are subsequently turning to new technologies to help them cope with the surge.
Most organisations are already using traditional security tools such as data loss protection (DLP) and security information and event management (SIEM), which help their security professionals triage, monitor and detect unusual behaviours. However, the rapid proliferation of increasingly sophisticated attackers is leaving many security professionals feeling overwhelmed. Increasingly they are looking at security analytics as a possible solution.
If deployed in the wrong environment or without the right skills, security analytics will simply add to the difficulties that cybersecurity professionals are facing.”Organisations exploring security analytics platforms must tread carefully and be critical of vendor claims when making their procurement decisions,” says Augusto Barros, research director at Gartner. “Organisations should not buy any new tools before goals are set and needs are clear, and, more importantly, must demonstrate that adopting advanced security analytics approaches can improve things.”
Clearly there are myriad motivations for looking at advanced analytics approaches to security. These include: the proliferation of advanced and persistent threats and a new emphasis on more rapid detection and mitigations of those threats; the vast accumulation of security data; and a dramatic increase in the number of entities that need security monitoring due to shadow IT, cloud computing and the Internet of Things (IoT).
“Most organisations are surprised to find that with improved processes and care, their existing tools such as SIEM and cloud access security brokers (CASBs) can be used to address these challenges,” says Barros. “Therefore, it’s crucial that organisations follow a structured approach to fully understand their problems and whether security analytics are necessary or helpful to address them.”
With thorough consideration there are a great number of potential use cases for security analytics. Successful deployments generally pay for themselves in reducing the number of false alerts, cutting the cost of tuning security systems and keeping content up-to-date.
However, organisations should not attempt to shop for a unified security analytics platform because there simply isn’t one available. If they need a unified platform, they need to build it themselves and this brings its own technical challenges and demands on resources — high level skills in development, mathematics and statistics are required.
“Build-your-own security analytics is far from simple,” says Anton Chuvakin, research vice president and distinguished analyst at Gartner. “Those who attempt it should know that many have tried before and failed.”
Additional security insight will be shared with South African CTOs at the Gartner Symposium/ITxpo 18 to 21 September in Cape Town.