Pardon the idiotic title, but some recent discussions around security analytics have made this question practically relevant.
- You have a SIEM and other security technologies focused on detection and alerting
- As a result, you have lots of security alerts – and you think it is too damn many!
- You don’t have enough people to tune the systems that produced the alerts so that they produce fewer/better alerts
- Also, you do not have enough skilled SIEM people to triage / validate the alerts
- Instead, you want to buy a new, “magic bullet” tool that promises to “make better alerts”
- Your security budget: $$$$$. Budget after the magic tool purchase: $$
- The magic tool is deployed and – abracadabra! – your 23,543 alerts become 17 alerts
- What just happened? Where did they go?!
- Now you need skilled people to a) confirm that alerts that remained really do matter, b) that these alerts matter the most to you and also to c) confirm that alerts that vanished don’t matter
- If a), b) and c) are not to your perfect satisfaction, you now need skilled people to tune the new tool.
- Result? You bought a new tool to avoid hiring people, and now you need to hire people to run this tool. In fact, you needed, 3 security analysts @ $80K/year, and now you need a security data scientist @ $240K/year …
- Explain :–)
On a more serious note, we make a lot of exciting predictions on the rise of smart machines, but for the foreseeable future said machines will require smart people to run them …
Blog posts on the security analytics topic:
- Killed by AI Much? A Rise of Non-deterministic Security!
- SIEM / DLP Add-on Brain
- Those Pesky Users: How To Catch Bad Usage of Good Accounts
- Security Analytics Lessons Learned — and Ignored!
- Security Analytics: Projects vs Boxes (Build vs Buy)?
- Do You Want “Security Analytics” Or Do You Just Hate Your SIEM?
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market?
- SIEM Real-time and Historical Analytics Collide?
- SIEM Analytics Histories and Lessons
- Big Data for Security Realities – Case 4: Big But Narrowly Used Data
- Big Data Analytics Mindset – What Is It?
- Big Data Analytics for Security: Having a Goal + Exploring
- More On Big Data Security Analytics Readiness
- Broadening Big Data Definition Leads to Security Idiotics!
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.