Getting the most out of big data sets and seemingly unrelated security information
As more CISOs begin to lean on data scientists to discover new threats in security feeds and increasingly more IT security departments institute security analytics programs, infosec pros have started to reap the obvious benefits of security analytics. Most evident among them is a broader and deeper visibility into IT security data sources, which in turn in offers a better understanding of security risks and faster response times.
But as security programs mature their analytics practices, they often find themselves surprised at the discrete benefits they start seeing from programmatic exploration of security-related data feeds. Here are just a few of the top positive surprises.
1. Uncover Data Leaks You’d Never Guess You Had
One of the first jolts that security analytics programs may give your organization is concrete evidence of data leaks it never before suspected were happening.
“The one that comes up regularly is that they discover leaks that have been ongoing for some time,” says Matthew Gardiner, senior product marketing manager for RSA.
As he explains, this may not even necessarily be a leak at the hands of some kind of complicated nation-state spying or even a data that’s being stolen by a crime syndicate.
“They’re just leaks caused by data moving out of the enterprises to places the organization didn’t know about, didn’t expect and maybe doesn’t like,” he explains. “The question then is figuring out what to do about that flow of data at that point.” [Are you getting the most out of your security data? See 8 Effective Data Visualization Methods For Security Teams.]
2. Sniff Out Questions You Didn’t Know Needed Asking Before
The huge amount of unstructured data pumped out by IT infrastructure and security tools makes it difficult for security analysts to even begin to start querying data for answers to common questions about its risk posture. The simple act of organizing analytics programs to answer those obvious questions may turn up unexpected returns as other patterns emerge to answer questions that the team may never have even thought to ask.
“Often companies may not know exactly what they are looking for or what exact problem they want to solve before the data is stored and made accessible,” says Dan Hubbard, CTO of OpenDNS. “Analytics can uncover security intelligence and capabilities that we would otherwise have no way of knowing is possible.”
What’s more, the visualization of those trends can also help better communicate risks to the business and start collaboration with business leaders who may start to come up with their own important questions to be answered based on data that was never as accessible without analytics.
“They start to ask good questions, so it gives a different perspective on not only what you should be looking at but how you should be looking at it,” says Ron Schlecht, managing partner for security service provider BTB Security. “It’s a good way to collaborate with different business leaders and it starts to pull together why security is important to the overall organization.”
3. Make Connections Between Data Sources You Might Not Have Made Before
Often times security analytics programs will start making associations between data sources that a security team may have never uncovered on its own.
“Most security analytics programs require feeding data from multiple sources in to a single engine for processing to look at patterns and anomalies,” says Corey Lanum, general manager for North America at Cambridge Intelligence. “When I’m working with customers who are loading in data from disparate sources, they will often immediately see connections between individual data elements that were previously stored in different databases and had no connection.”
For example, one police agency his firm worked with extended his security analytics engine out toward information sources about offenders and crime, with everything from 911 call information, jail records and the like.
“After loading in their crime reports and pawn shop records, we immediately started to see connections,” Lanum says. “It was immediately obvious that stolen property was being sold at pawn shops in the same general neighborhood of the theft. We generated leads on several burglaries on the first day we were using the software.”
This kind of modeling can easily translate to find connections between disparate parts of the network, different departmental information and so on.
4. Discover operational IT issues you never knew were there
The benefits of security analytics programs may well extend beyond IT security and bleed into IT operations as well. In many cases, the modeling and dot-connecting performed on security data can uncover IT operational problems that could impact availability, workflow and efficiency department-wide.
“One benefit that has surprised many companies is that the security analytics have also helped find operational IT issues, likely due to the sheer volume of information and depth of insight that can be gained with a proper analytics program,” Schlecht says.
For example, when he worked in-house years ago he found that a new analytics program not only helped identify security issues but was also able to pinpoint development issues in the company’s applications that were draining many hours of troubleshooting from its dev team. A look at application and security event logs for something completely unrelated ended up helping to spot the root cause of the development frustration.
5. Find policy violations you didn’t know were happening
Another beneficial surprise offered up from analytics–one that can often be a bit of a double-edged sword–is the discovery of policy violations across the organization. They won’t always necessarily be malicious, but they’re there and the difficult thing about it is that once the team has seen these violations, it can’t unsee them no matter how inconvenient response may be.
“You hear about rogue cloud services and with analytics you’ll see they’re very real,” Gardiner says. “It’s beneficial because you have better visibility, but you can’t be an ostrich once you see it. You have to do something about it and make the determination of whether it’s important and whether you have to investigate it and respond.”