Blog post

Security Analytics Lessons Learned — and Ignored!

By Anton Chuvakin | February 09, 2015 | 2 Comments


As I was finishing the most excellent book “Data-Driven Security: Analysis, Visualization and Dashboards“ (see book site also), one paragraph jumped out and bit me in the face – ouch! 🙂 Well, not really, but it literally forced me write the below.

Specifically, in Chapter 12 there is a gem of a sidebar called “Building a Real-life Security Data Science Team” where “Bob” (presumably one of the authors) shares his lessons starting with security analytics. Here is the abridged quote of the lessons:

“Three core principles focused the team:

  • First, explore the open source versions of tools before engaging vendors. […]
  • Second, follow the mantra of “no single tool; no single database; and, no single approach to solving a problem. ” […]
  • Third, failure is expected, but you must learn from each journey down the wrong path. Continuous adaptation and adjustment is the name of the game.

[…] Your team—and it is a team effort—will also be successful if they start with a question, are iterative and methodical in their approach, and never stop learning from their mistakes.”

Why did this quote made me scream!? Because …

  • it makes perfect sense, it is the logical thing to do, and it is also backed up by a lot of our own research into big data analytics successes (for example), and

Look at the above quote from the book, that lists the lessons, and then see this approach that I’ve heard from some organizations that want to start their journey towards security analytics:

  • Start from buying a commercial tool
  • Focus on buying “the best” tool, and blowing all the money on just one
  • Then praying that the tool “works”, while cowering in fear of failure.

In other words, exactly the opposite! What do you think their chances of success are?

So, one more time: Start from questions, from data — and NOT from products!

Blog posts on the security analytics topic:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Hi Aton,

    This occurs with many companies in the Brazilian IT market. The IT Director always buy an established solution to protect your job. It does not matter if this product will solve his problem, only serve as an excuse in case of a failure.

    They are not concerned with all the options, new approaches or review procedures.


    Paulo Lopes

  • @Paulo Thanks for the comment. Indeed, that is common – and not just in Brazil 🙁