by Anton Chuvakin
Security analytics – a topic as exciting and as fuzzy as ever! My 2015 research year starts from another dive into this area. However, how can I focus on something so fuzzy and … well … defocused? GTP approach implies that we “get specific” and not touch fuzzball topics ….
So, there is still no market called “security analytics”, but there are some areas where specificity is finally emerging (yay!). Below you will see two areas where the label of “security analytics” may actually apply in real life, and not in the realm of marketing wet dreams:
- Expanded Network Forensics (NFT) [see our NFT document, and my blog coverage] where the source data is primarily network session metadata (and raw packets, as needed), fused with other activity and context data; quite a few of the vendors renamed their NFT products into “security analytics” or built new platforms for network data analysis (as a sidenote, some vendors artfully mix NFT, ETDR/EDR and threat intel and thus became even less similar to their NFT roots – as it is no longer just network, and no longer just forensics but also a stream of DPI-decoded data). So, these tools have their own sensors, collect traffic and utilize both stored and stream analysis of network and other data.
- User Behavior Analytics (UBA) [see a document on UBA] where the sources are variable (often logs feature prominently, of course), but the analysis is focused on users, user accounts, user identities – and not on, say, IP addresses or hosts. Some form of SIEM and DLP post-processing where the primary source data is SIEM and/or DLP outputs and enhanced user identity data as well as algorithms characterize these tools. So, these tools may collect logs and context data themselves or from a SIEM and utilize various analytic algorithms to create new insight from that data.
As result, in my opinion, “children of NFT” and “evolved UBAs” (as described above) is probably where REAL security analytics will emerge. At the very least, this functionality seems to be converging on common needs (as I lamented in this post).
Of course, more broadly focused data analysis tools (whether centered on IT data search or entity analytics) have been used for security data analysis as well, usually by the Enlightened Few. These may also steal some of the security analytics thunder in the coming years.
And here is a trick question? How many of these #1 and #2 tools are adopted en masse today, beyond the “Type A of Type A” security elites? Yup, exactly
Now, my traditional call to action:
- Vendors, got anything to say about using big data methods for security and/or about whatever you consider security analytics? Here is a briefing link … you know what to do [reminder: to brief an analyst you do not need to be a Gartner client – so it is free]!
- Enterprises, got an “advanced algorithms and/or big data helps security” story – either a WIN story or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
- Consultants focused on analytics, got a fun security analytics story (maybe inspired by your recent project) to share? I’d love to hear it and can use or NOT use [if you so desire] the example in my upcoming paper.
For those with a GTP subscription, here are existing documents about the topic:
- “Security Information and Event Management Futures and Big Data Analytics for Security”
- “Network Forensics Tools and Operational Practicves”
- “Endpoint Threat Detection and Response Tools and Practices” (now the tools are renamed into EDR, so ETDR = EDR)
For those without a GTP subscription, here are the blog posts from my past research projects on …
Security analytics topic:
- Why No Security Analytics Market?
- SIEM Real-time and Historical Analytics Collide?
- SIEM Analytics Histories and Lessons
- Big Data for Security Realities – Case 4: Big But Narrowly Used Data
- Big Data Analytics Mindset – What Is It?
- Big Data Analytics for Security: Having a Goal + Exploring
- More On Big Data Security Analytics Readiness
- Broadening Big Data Definition Leads to Security Idiotics!
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
Network forensics topic: