As I was finishing the most excellent book “Data-Driven Security: Analysis, Visualization and Dashboards“ (see book site also), one paragraph jumped out and bit me in the face – ouch! 🙂 Well, not really, but it literally forced me write the below.
Specifically, in Chapter 12 there is a gem of a sidebar called “Building a Real-life Security Data Science Team” where “Bob” (presumably one of the authors) shares his lessons starting with security analytics. Here is the abridged quote of the lessons:
“Three core principles focused the team:
- First, explore the open source versions of tools before engaging vendors. […]
- Second, follow the mantra of “no single tool; no single database; and, no single approach to solving a problem. ” […]
- Third, failure is expected, but you must learn from each journey down the wrong path. Continuous adaptation and adjustment is the name of the game.
[…] Your team—and it is a team effort—will also be successful if they start with a question, are iterative and methodical in their approach, and never stop learning from their mistakes.”
Why did this quote made me scream!? Because …
- it makes perfect sense, it is the logical thing to do, and it is also backed up by a lot of our own research into big data analytics successes (for example), and
- IT IS EXACTLY THE OPPOSITE OF HOW MANY ORGANIZATIONS WANT TO START! (sorry for screaming here)
Look at the above quote from the book, that lists the lessons, and then see this approach that I’ve heard from some organizations that want to start their journey towards security analytics:
- Start from buying a commercial tool
- Focus on buying “the best” tool, and blowing all the money on just one
- Then praying that the tool “works”, while cowering in fear of failure.
In other words, exactly the opposite! What do you think their chances of success are?
So, one more time: Start from questions, from data — and NOT from products!
Blog posts on the security analytics topic:
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market?
- SIEM Real-time and Historical Analytics Collide?
- SIEM Analytics Histories and Lessons
- Big Data for Security Realities – Case 4: Big But Narrowly Used Data
- Big Data Analytics Mindset – What Is It?
- Big Data Analytics for Security: Having a Goal + Exploring
- More On Big Data Security Analytics Readiness
- Broadening Big Data Definition Leads to Security Idiotics!
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?