As I was finishing the most excellent book “Data-Driven Security: Analysis, Visualization and Dashboards“ (see book site also), one paragraph jumped out and bit me in the face – ouch! Well, not really, but it literally forced me write the below.
Specifically, in Chapter 12 there is a gem of a sidebar called “Building a Real-life Security Data Science Team” where “Bob” (presumably one of the authors) shares his lessons starting with security analytics. Here is the abridged quote of the lessons:
“Three core principles focused the team:
- First, explore the open source versions of tools before engaging vendors. […]
- Second, follow the mantra of “no single tool; no single database; and, no single approach to solving a problem. ” […]
- Third, failure is expected, but you must learn from each journey down the wrong path. Continuous adaptation and adjustment is the name of the game.
[…] Your team—and it is a team effort—will also be successful if they start with a question, are iterative and methodical in their approach, and never stop learning from their mistakes.”
Why did this quote made me scream!? Because …
- it makes perfect sense, it is the logical thing to do, and it is also backed up by a lot of our own research into big data analytics successes (for example), and
- IT IS EXACTLY THE OPPOSITE OF HOW MANY ORGANIZATIONS WANT TO START! (sorry for screaming here)
Look at the above quote from the book, that lists the lessons, and then see this approach that I’ve heard from some organizations that want to start their journey towards security analytics:
- Start from buying a commercial tool
- Focus on buying “the best” tool, and blowing all the money on just one
- Then praying that the tool “works”, while cowering in fear of failure.
In other words, exactly the opposite! What do you think their chances of success are?
So, one more time: Start from questions, from data — and NOT from products!
Blog posts on the security analytics topic:
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market?
- SIEM Real-time and Historical Analytics Collide?
- SIEM Analytics Histories and Lessons
- Big Data for Security Realities – Case 4: Big But Narrowly Used Data
- Big Data Analytics Mindset – What Is It?
- Big Data Analytics for Security: Having a Goal + Exploring
- More On Big Data Security Analytics Readiness
- Broadening Big Data Definition Leads to Security Idiotics!
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.