Blog post

My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes

By Anton Chuvakin | May 08, 2015 | 2 Comments


With much trepidation, I am announcing the release of my “Demystifying Security Analytics: Sources, Methods and Use Cases” – a paper that took a few months of work to complete.

In brief, ”Many security architects are pursuing security analytics, an ill-defined concept that presumably offers better insights and effective detection for advanced threats. Gartner provides a fact-based analysis of security analytics initiatives based on a framework of data sources, methods and use cases.”

Select fun quotes:

  • “As many organizations continue to struggle with utilizing traditional security tools […], the expectation that they will magically adopt security analytics approaches as well as big data technologies is questionable at best — the emerging tools make some tasks easier, but come with their own skill requirements. “

  • “Even in the analytics realm, security information and event management (SIEM) has a major role for collection, normalization and basic analysis of incoming data.”

  • “Many organizations express the desire to “get ‘security analytics,'” but few are willing to commit resources to a lifetime pursuit of becoming data- and analytics-driven. “

  • “A combination of “lots of data — little insight” and the proliferation of persistent, professional attackers has left many defenders demoralized, defeated, and actively looking for ways to finally extract signals from ever-increasing noise.”

  • “Using the term “advanced” excessively should be left to vendor white papers, but the legitimate question remains: What constitutes advanced analysis? When organizations choose analytics tools, how can they judge how advanced they are, short of measuring the density of statistics jargon in the documentation?”

  • “At this time, there is not enough data on the comparative effectiveness of various analytic approaches and algorithms (implemented in vendor tools) versus current, real-world threats and problems.” <- this point is really important since “plural of anecdote isn’t spelled ‘d-a-t-a'”….


P.S. Gartner GTP access required. For those without ….

Blog posts on the security analytics topic:

Blog posts announcing paper publication:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Alex says:

    ”Many security architects are pursuing security analytics”

    If the group probably *furthest* from quantitative output of security operations is the one “pursuing” security analytics, I guess we shouldn’t be surprised at either the tone of the report or observations made within.

    • Well… yeah. However, GTP practices (in general) provides research for architects and other technologists, not CIOs and expensive COTS tool buyers. I could have said “security technologist”, I guess. Would it be better?