Blog post

My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes

By Anton Chuvakin | May 08, 2015 | 2 Comments


With much trepidation, I am announcing the release of my “Demystifying Security Analytics: Sources, Methods and Use Cases” – a paper that took a few months of work to complete.

In brief, ”Many security architects are pursuing security analytics, an ill-defined concept that presumably offers better insights and effective detection for advanced threats. Gartner provides a fact-based analysis of security analytics initiatives based on a framework of data sources, methods and use cases.”

Select fun quotes:

  • “As many organizations continue to struggle with utilizing traditional security tools […], the expectation that they will magically adopt security analytics approaches as well as big data technologies is questionable at best — the emerging tools make some tasks easier, but come with their own skill requirements. “

  • “Even in the analytics realm, security information and event management (SIEM) has a major role for collection, normalization and basic analysis of incoming data.”

  • “Many organizations express the desire to “get ‘security analytics,'” but few are willing to commit resources to a lifetime pursuit of becoming data- and analytics-driven. “

  • “A combination of “lots of data — little insight” and the proliferation of persistent, professional attackers has left many defenders demoralized, defeated, and actively looking for ways to finally extract signals from ever-increasing noise.”

  • “Using the term “advanced” excessively should be left to vendor white papers, but the legitimate question remains: What constitutes advanced analysis? When organizations choose analytics tools, how can they judge how advanced they are, short of measuring the density of statistics jargon in the documentation?”

  • “At this time, there is not enough data on the comparative effectiveness of various analytic approaches and algorithms (implemented in vendor tools) versus current, real-world threats and problems.” <- this point is really important since “plural of anecdote isn’t spelled ‘d-a-t-a'”….


P.S. Gartner GTP access required. For those without ….

Blog posts on the security analytics topic:

Blog posts announcing paper publication:

Comments are closed


  • Alex says:

    ”Many security architects are pursuing security analytics”

    If the group probably *furthest* from quantitative output of security operations is the one “pursuing” security analytics, I guess we shouldn’t be surprised at either the tone of the report or observations made within.

    • Well… yeah. However, GTP practices (in general) provides research for architects and other technologists, not CIOs and expensive COTS tool buyers. I could have said “security technologist”, I guess. Would it be better?