With much trepidation, I am announcing the release of my “Demystifying Security Analytics: Sources, Methods and Use Cases” – a paper that took a few months of work to complete.
In brief, ”Many security architects are pursuing security analytics, an ill-defined concept that presumably offers better insights and effective detection for advanced threats. Gartner provides a fact-based analysis of security analytics initiatives based on a framework of data sources, methods and use cases.”
Select fun quotes:
“As many organizations continue to struggle with utilizing traditional security tools […], the expectation that they will magically adopt security analytics approaches as well as big data technologies is questionable at best — the emerging tools make some tasks easier, but come with their own skill requirements. “
“Even in the analytics realm, security information and event management (SIEM) has a major role for collection, normalization and basic analysis of incoming data.”
“Many organizations express the desire to “get ‘security analytics,'” but few are willing to commit resources to a lifetime pursuit of becoming data- and analytics-driven. “
“A combination of “lots of data — little insight” and the proliferation of persistent, professional attackers has left many defenders demoralized, defeated, and actively looking for ways to finally extract signals from ever-increasing noise.”
“Using the term “advanced” excessively should be left to vendor white papers, but the legitimate question remains: What constitutes advanced analysis? When organizations choose analytics tools, how can they judge how advanced they are, short of measuring the density of statistics jargon in the documentation?”
“At this time, there is not enough data on the comparative effectiveness of various analytic approaches and algorithms (implemented in vendor tools) versus current, real-world threats and problems.” <- this point is really important since “plural of anecdote isn’t spelled ‘d-a-t-a'”….
Blog posts on the security analytics topic:
- The Future Is Here … And It Is … Network? Endpoint?
- Now That We Have All That Data What Do We Do, Revisited
- Who Validates Alerts Validated by Your Alert Validator Software?
- Killed by AI Much? A Rise of Non-deterministic Security!
- Those Pesky Users: How To Catch Bad Usage of Good Accounts
- Security Analytics Lessons Learned — and Ignored!
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market? <- important read for VCs and investors!
- SIEM Real-time and Historical Analytics Collide?
- SIEM Analytics Histories and Lessons
- Big Data for Security Realities – Case 4: Big But Narrowly Used Data
- Big Data Analytics Mindset – What Is It?
- Big Data Analytics for Security: Having a Goal + Exploring
- More On Big Data Security Analytics Readiness
- Broadening Big Data Definition Leads to Security Idiotics!
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
Blog posts announcing paper publication:
- My “How to Work With an MSSP to Improve Security” Paper Publishes
- Our “Selecting Security Monitoring Approaches by Using the Attack Chain Model” Publishes
- All My Research Published in 2014
- All My Research Published in 2013
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.