Too Much Security Data Or Not Enough?

  /     /     /  
Publicated : 22/11/2024   Category : security


Too Much Security Data Or Not Enough?


Addressing the paradox of security analytics challenges



As security gurus and professional surveys try to examine the stumbling blocks that await organizations seeking to mature their security analytics programs, enterprises complaints seem to be at odds with one another. On one hand, organizations say they have too much security data and too many types of data to sift through and analyze in a timely fashion. On the other hand, they also say they dont have enough data on hand to make analytics-based security decisions.
So what gives? According to some experts, the seeming contradiction may well be the cracks showing in the old model of collecting security information and aggregate analysis through traditional tools like log management and security information and event management (SIEM).
I remember the days where as security professionals we would have to go out and specifically ask for more and more data. Well, now we have it, says Dave Shackleford, principal consultant for Voodoo Security and a SANS analyst. We have a lot of types of data. You have all these various formats, not all of which are natively compatible with your SIEM platform.
[Your organizations been breached. Now what? See
Establishing The New Normal After A Breach
.]
Just recently, SANS released the results of its
security analytics survey
, an iteration of what was once its annual log management survey. As it found in years past, organizations rely heavily on log management and SIEM platforms that cant handle the deluge of data fed into them, Shackleford says. At the same time, when the survey asked participants what their biggest challenges were in discovering and following up on attacks, they said the top problem was a gap in security data that they needed.
Hands down, it was not getting some of right data. So we still feel like were missing some of the key data sets in our environments, even with the deluge of the data that we have, Shackleford says, explaining that organizations also said they lacked system or vulnerability awareness and context around the data to observe normal data. Without those, it is very difficult to tell that bigger, better story around whats happening in your infrastructure, and thats exactly the type of problem that analytics platforms are looking and trying to solve.
Part of the reason why organizations are finding theyre contending with too much data and not enough data at the same time is because theyre collecting in an upside-down process, says Ryan Stolte, CTO of Bay Dynamics.
The bad assumption is that we should start with the data and focus on aggregating it and bring in it all into the same repository. When you start just by grabbing whatever data you can find and then hoping to get insight out of it later, its a long, expensive process and an upside-down approach, he says.
Instead, organizations should be asking business and security questions first and looking for the data that will help answer them.
You have to know what questions youre trying to ask before you start going out and fetching data for it, he says. People have spent a tremendous amount of money consolidating data and never had a plan for what they were going to do it.
In the same vein, Stolte says that organizations have a hard time acting on data, even if it is the right information, when they rely too heavily on SIEM.
Its a common mistake trying to aggregate everything through SIEM. But it is only giving you one perspective and very commonly ends up being a black hole of information that is not actionable, he says.
According to Shackleford, SANS has seen organizations seek to move beyond just SIEM to analyze data and shift into more robust analytics techniques and platforms.
We definitely see trends and the market is ready for this -- people have this need for analytics and intelligence wrapped together in these larger data sets, he says, explaining that at the same time only about 10 percent of organizations are confident in their intelligence and analytics capabilities. Most people are still using traditional techniques, still using log management and SIEM platforms to pull all this together. So I say today analytics is still pretty much in its infancy. Theres a lot of room for growth.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Too Much Security Data Or Not Enough?