Gartner Blog Network


Security Analytics Lessons Learned — and Ignored!

by Anton Chuvakin  |  February 9, 2015  |  3 Comments

As I was finishing the most excellent book “Data-Driven Security: Analysis, Visualization and Dashboards“ (see book site also), one paragraph jumped out and bit me in the face – ouch! :-) Well, not really, but it literally forced me write the below.

Specifically, in Chapter 12 there is a gem of a sidebar called “Building a Real-life Security Data Science Team” where “Bob” (presumably one of the authors) shares his lessons starting with security analytics. Here is the abridged quote of the lessons:

“Three core principles focused the team:

  • First, explore the open source versions of tools before engaging vendors. […]
  • Second, follow the mantra of “no single tool; no single database; and, no single approach to solving a problem. ” […]
  • Third, failure is expected, but you must learn from each journey down the wrong path. Continuous adaptation and adjustment is the name of the game.

[…] Your team—and it is a team effort—will also be successful if they start with a question, are iterative and methodical in their approach, and never stop learning from their mistakes.”

Why did this quote made me scream!? Because …

  • it makes perfect sense, it is the logical thing to do, and it is also backed up by a lot of our own research into big data analytics successes (for example), and
  • IT IS EXACTLY THE OPPOSITE OF HOW MANY ORGANIZATIONS WANT TO START! (sorry for screaming here)

Look at the above quote from the book, that lists the lessons, and then see this approach that I’ve heard from some organizations that want to start their journey towards security analytics:

  • Start from buying a commercial tool
  • Focus on buying “the best” tool, and blowing all the money on just one
  • Then praying that the tool “works”, while cowering in fear of failure.

In other words, exactly the opposite! What do you think their chances of success are?

So, one more time: Start from questions, from data — and NOT from products!

Blog posts on the security analytics topic:

Category: analytics  philosophy  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Security Analytics Lessons Learned — and Ignored!


  1. Hi Aton,

    This occurs with many companies in the Brazilian IT market. The IT Director always buy an established solution to protect your job. It does not matter if this product will solve his problem, only serve as an excuse in case of a failure.

    They are not concerned with all the options, new approaches or review procedures.

    Regards

    Paulo Lopes

  2. @Paulo Thanks for the comment. Indeed, that is common – and not just in Brazil :-(

  3. […] ← Security Analytics Lessons Learned — and Ignored! […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.