Gartner Blog Network


Security Analytics – Finally Emerging For Real?

by Anton Chuvakin  |  January 12, 2015  |  2 Comments

Security analytics – a topic as exciting and as fuzzy as ever! My 2015 research year starts from another dive into this area. However, how can I focus on something so fuzzy and … well … defocused? GTP approach implies that we “get specific” and not touch fuzzball topics ….

So, there is still no market called “security analytics”, but there are some areas where specificity is finally emerging (yay!). Below you will see two areas where the label of “security analytics” may actually apply in real life, and not in the realm of marketing wet dreams:

  1. Expanded Network Forensics (NFT) [see our NFT document, and my blog coverage] where the source data is primarily network session metadata (and raw packets, as needed), fused with other activity and context data; quite a few of the vendors renamed their NFT products into “security analytics” or built new platforms for network data analysis (as a sidenote, some vendors artfully mix NFT, ETDR/EDR and threat intel and thus became even less similar to their NFT roots – as it is no longer just network, and no longer just forensics but also a stream of DPI-decoded data). So, these tools have their own sensors, collect traffic and utilize both stored and stream analysis of network and other data.
  2. User Behavior Analytics (UBA) [see a document on UBA] where the sources are variable (often logs feature prominently, of course), but the analysis is focused on users, user accounts, user identities – and not on, say, IP addresses or hosts. Some form of SIEM and DLP post-processing where the primary source data is SIEM and/or DLP outputs and enhanced user identity data as well as algorithms characterize these tools. So, these tools may collect logs and context data themselves or from a SIEM and utilize various analytic algorithms to create new insight from that data.

As result, in my opinion, “children of NFT” and “evolved UBAs” (as described above) is probably where REAL security analytics will emerge. At the very least, this functionality seems to be converging on common needs (as I lamented in this post).

Of course, more broadly focused data analysis tools (whether centered on IT data search or entity analytics) have been used for security data analysis as well, usually by the Enlightened Few. These may also steal some of the security analytics thunder in the coming years.

And here is a trick question? How many of these #1 and #2 tools are adopted en masse today, beyond the “Type A of Type A” security elites? Yup, exactly :-)

Now, my traditional call to action:

  • Vendors, got anything to say about using big data methods for security and/or about whatever you consider security analytics? Here is a briefing link … you know what to do [reminder: to brief an analyst you do not need to be a Gartner client – so it is free]!
  • Enterprises, got an “advanced algorithms and/or big data helps security” story – either a WIN story or a FAIL story – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
  • Consultants focused on analytics, got a fun security analytics story (maybe inspired by your recent project) to share? I’d love to hear it and can use or NOT use [if you so desire] the example in my upcoming paper.

For those with a GTP subscription, here are existing documents about the topic:

For those without a GTP subscription, here are the blog posts from my past research projects on …

Security analytics topic:

Network forensics topic:

Category: analytics  announcement  monitoring  network-forensics  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Security Analytics – Finally Emerging For Real?


  1. dell servers says:

    Nowadays, personal computer observer happen broke down straight into CRT
    as well as LCD screen. CRT examine lives pre-loaded with a CRT keep
    an eye on seem to be after that am aware of reminiscent on the TUBE.

    The most important hardships add the stress along
    with dimension. In recent years, survive essentially broken down out from the took advantage of
    (except using zastosowanimi of which banish product beat) for LCD screen, that is charactered with the
    fruit juice gem panel, which often substituted the appreciated CRT
    perfect example tube. The cost with the minor aspects from the
    apparatus is frequently let down icon condition.

  2. […] bigger pain than tuning a SIEM) in order to create additional insight from SIEM and DLP outputs. As I hypothesize, UBA is where a broader-scope security analytics tooling may eventually […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.