Blog post

Security Analytics Webinar Questions – Answered

By Anton Chuvakin | September 29, 2015 | 0 Comments


As promised, I am posting selected Q&A from my recent security analytics webinar (recording is here somewhere). As a reminder, the topics were:

  • How to evolve beyond your SIEM to gain better insight from the data you have?
  • How to start a security analytics project?
  • Which security problems can be solved with big data?

BTW, I got A LOT of great questions [thanks a lot for asking them!!!] and answered some live after the webinar runs, but I am also re-answering some below for posterity. I am NOT answering the questions related to specific product recommendation (read our research for that!). There you have it!

Q Where do you see the future: Network or Endpoint focused analytics?
A The answer is probably in this blog post.

Q What kind of algorithms should we look for in vendors?
A That is a question that I have been agonizing over for quite some time, and at this point there does not seem to be enough operational success data [from organizations using various analytics tools] point to specific algorithms that work well in security use cases. Some of the discussion of this is in this blog post – but reliable data on “what algorithm works best for what use cases under what circumstances?” is very much still in the future….

Q Do you foresee UBA, NTA [defined here – A.C.] and SIEM tools talking amongst using common language that can be put together for analysis?
A That is a fascinating question to ponder but at this point I would say that as long as all of the products have API that allows sensible integrations for whatever tactical goal, that should be good enough [especially given not a choice]

Q What are the top 3 Specific Problems companies should focus on solving?
A While I hate when people pontificate when asked a specific question, by god, I’m going to pontificate here! The list of specific problems you should focus on is based on your risks and the results of your risk assessment. No other answer is what I’d consider to be honest, useful advice – this is a a little like to asking a waiter in a restaurant “hey, what should I want?”

Q What about buying a pre-integrated platform similar to the one you described (based on Hadoop, Solr, etc.) from a vendor? So as to get a proven, scalable platform to build upon?
A Indeed, we have seen some of this happening where instead of assembling specific open source components, the company starts from a commercially available toolset, pre-integrated if you wish to call it that. However, in this case, the company should still spend the energy on the analytic algorithms and that takes hard work. Don’t assume you buying a magic box full of analytics – you are just buying a lot of Lego pieces in one nice box…

Q Do you see Security Analytics tools like UBA in the future replace current SIEM technology? How do view SIEM vs. SA? Is it a proper evolution of SIEM products to SA, or is it more likely to be used together with SIEM (SIEM stays separate technology)? What is a major difference between SIEM data and Security Analytics data? [several questions merged together]
A Today, we definitely do NOT – especially given that some of the analytic tools actually require that you have a SIEM already. Data collection and normalization, done by SIEM, took the vendors years if not decades to build. Over the longer term, we do see some convergence between SIEM and novel analytics vendors, such as via acquisitions. BTW, UBA vendors have discovered that SIEM is hard work (scalable and reliable collection!), but SIEM vendors have also discovered that UBA is hard work (picking and tuining algorithms!). For now, they need each other!

Q Isn’t the use-cases of SIEM a kind of Security analytics if you run it across historical data?
A Sort of, but not really. The difference is typically in the statistical and data science rigor that novel analytics vendors apply (fancy ML vs simple rules). Their approaches are dramatically different from simply running rules or naïve baselines over historical data (like “if volume grows by 10%, then alert”). See this post for some useful discussion.

Q What is your current view on the ‘Security Analytics market’? Has the market consolidated over the past couple of months, or is it still a lot like it was before? Is it still about UBA and Network?
A The answers to this is still in this blog post.

Q What is the best data to collect and analyze if you want to prevent intrusions from outside parties? What is the best data to collect and analyze if you want to prevent internal bad actors?
A I have struggled to answer this question in any kind of short manner, apart from “all data” (which isn’t entirely useful to many) or “all relevant data.” Let me give you a somewhat hand-waving answer – lately, firewall (outbound connection logs), web proxy and client (ideally, ETDR / EDR), and VPN logs have been found to be very useful for detecting outside intrusions. Any and all authentication and access logs, typically enriched with identity information have been useful for detecting some internal [i.e. by actual trusted insiders] malice.

Q At what level in an organization does the security analytics serve? Are they aimed at C-level to make decision or at operational level to run the shop.
A Both – we have seen examples where the security analytics capability serves both the strategic (what to do to reduce risk) and tactical/operational (how to detect threat X) data-driven security needs.

Q What do you think are the most important capabilities/characteristics that a Security Analytics solutions should provide, if you go the ‘buy’ way?
A The answer to this question is probably in this paper and this paper [Gartner access reqd]; at this point, the technologies in the domain are changing to quickly to create a canonical list of critical capabilities. UBA / UEBA tools may get there first.

Q How effectively has security analytics or UBA worked so far from your knowledge? Has these products found attacks?
A Ah, a most excellent question! Some of this discussion is in this blog post. Generally, we have seen real operational successes, mostly related to detecting compromised employee accounts, account access abuse, shared accounts, etc.

Q Would you think that people working on Security Analytics should be mathematicians or security professionals or a blend ?
A Some organizations have reported success with pairing a security professional with a data scientists (likely borrowed from another business unit). Other organizations that went the ‘buy’ route report that or well-packaged vendor use cases the statistics on data science resources were not needed – but they were certainly required to refine the use cases and/or to create new ones.

Q Do you expect the “tools” in this space to converge into a single category over time? Log-based “user” anomaly detection? Network based anomaly detection? Endpoint detection?
A Probably not in the short-term – it seems like the user-focused (UBA or UEBA) and traffic-focused (NTA) are staying somewhat separate. This post sheds some more light on it.

Q How would you describe the core competencies of an effective security data science [team]?
A I cannot think of a way to answer this question quickly, and it will probably justify an entire webinar. Some – but definitely not to the depth some people require – discussion of this is included in this paper [Gartner GTP access reqd].

Q Have you done any analysis of IAM specific analytic tools? Who is doing good work in this area?
A A peer team to our team at Gartner GTP is doing a project on IAM-focused analytics, they label is IAI (UBA is analytics for user-centric threats, while IAI is analytics for improving IAM and IdM)

Related webinar posts:

Comments are closed