Security data analytics can be powerful, but businesses need to take a practical approach, according to Vickie Miller, chief information security officer (Ciso) at software analytics firm Fico.
“No matter what suppliers say, security analytics is no silver bullet unless you have your shop in order,” the award-winning Ciso told Computer Weekly.
Miller said working with data scientists at Fico in the past two years, to tune the company’s home-grown analytics technology, she has been able to derive a lot of value from the tool.
“But you have got to have a good foundation because, if you put analytics into an environment where the network is messy and complicated, and there are a lot of basic vulnerabilities, then the analytics will just add to the noise and quickly become shelfware,” she said.
Analytics has to be part of a comprehensive defence-in-depth strategy, said Miller. And before companies can even consider security analytics, they need a defendable network.
“There needs to be a certain level of understanding and transparency about how the network operates and where the choke points are,” she said. “Analytics is just another tool and does not mean an organisation can get rid of things like firewalls and the antivirus and antimalware.”
Miller said she believes that having a solid network – in terms of visibility and control – and making sure all the security basics have been done is more important than any tool that could be added to it.
Despite the power analytics, she said IT departments need to get the basics done correctly and cannot simply run to the next new security tool to solve all the problems.
Identify the benefits
The next step towards implementing analytics is to identify a technology that is mature, proven and can deliver clear value.
Miller recommends approaching shortlisted suppliers for a proof of concept trial to demonstrate what the technology can identify in the company’s IT environment that was previously hidden.
“Get them to demonstrate exactly what their analytics tool typically can detect, and what time and volume of data is required to do that,” she said.
“At the same time, get a clear understanding of the type and format of data that is needed because you don’t want to be surprised later to find that a lot of data cleansing or re-formatting is required, for example, before the analytic tool will work.”
Before committing to purchase a particular analytics tool, companies should also ask how the supplier’s technology can support decision-making processes and whether the supplier will provide training for customers to be able to tune the tool themselves.
“Ask questions, do not be intimidated by what suppliers say and make sure the supplier can show exactly what they can do for your company, so you can make a decision about whether or not you need to add this tool to your arsenal,” said Miller.
“If behaviour analytics, user analytics or entity analytics are in your company’s future, there will be a supplier that can answer your questions in a clear and understandable way, and produce the results you need using your data to show that you will be able to use the output of their tool.”
Data analysis partnerships
Any Ciso considering analytics, she said, should also consult with others in the business who may already be using analytics, such as the chief financial or chief officer who may be using analytics to detect fraudulent payment card activity.
“They will have a working understanding of analytics and can be of great help to the Ciso, as well as being someone to talk to and partner with internally, because there is often a lot of overlap in terms of requirements and challenges,” she said.
Since applying analytics in the context of security, Miller said Fico had been able to identify and follow up on number of indicators of compromise that it would otherwise have missed.
“One of the biggest benefits has been in speeding up the process of prioritising security alerts in terms of severity, which in the past has typically taken a lot of time and resource,” she said.
“Analytics helps cut through all the noise and identify important indicators of compromise – like outbound traffic connecting to malware command and control servers – that would not be caught by other tools.
“While a security information and event management (Siem) system will tell you there is a needle somewhere in the haystack, analytics will point to the needle.”
Another key area of benefit has been in being able to identify insider threats by identifying anomalous behaviour, a capability Fico plans to refine even further.