Too Much Security Data Or Not Enough?

Addressing the paradox of security analytics challenges

As security gurus and professional surveys try to examine the stumbling blocks that await organizations seeking to mature their security analytics programs, enterprises' complaints seem to be at odds with one another. On one hand, organizations say they have too much security data and too many types of data to sift through and analyze in a timely fashion. On the other hand, they also say they don't have enough data on hand to make analytics-based security decisions.

So what gives? According to some experts, the seeming contradiction may well be the cracks showing in the old model of collecting security information and aggregate analysis through traditional tools like log management and security information and event management (SIEM).

"I remember the days where as security professionals we would have to go out and specifically ask for more and more data. Well, now we have it," says Dave Shackleford, principal consultant for Voodoo Security and a SANS analyst. "We have a lot of types of data. You have all these various formats, not all of which are natively compatible with your SIEM platform."

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

Just recently, SANS released the results of its security analytics survey, an iteration of what was once its annual log management survey. As it found in years past, organizations rely heavily on log management and SIEM platforms that can't handle the deluge of data fed into them, Shackleford says. At the same time, when the survey asked participants what their biggest challenges were in discovering and following up on attacks, they said the top problem was a gap in security data that they needed.

"Hands down, it was not getting some of right data. So we still feel like we're missing some of the key data sets in our environments, even with the deluge of the data that we have," Shackleford says, explaining that organizations also said they lacked system or vulnerability awareness and context around the data to observe normal data. "Without those, it is very difficult to tell that bigger, better story around what's happening in your infrastructure, and that's exactly the type of problem that analytics platforms are looking and trying to solve."

Part of the reason why organizations are finding they're contending with too much data and not enough data at the same time is because they're collecting in an upside-down process, says Ryan Stolte, CTO of Bay Dynamics.

"The bad assumption is that we should start with the data and focus on aggregating it and bring in it all into the same repository. When you start just by grabbing whatever data you can find and then hoping to get insight out of it later, it's a long, expensive process and an upside-down approach," he says.

Instead, organizations should be asking business and security questions first and looking for the data that will help answer them.

"You have to know what questions you're trying to ask before you start going out and fetching data for it," he says. "People have spent a tremendous amount of money consolidating data and never had a plan for what they were going to do it."

In the same vein, Stolte says that organizations have a hard time acting on data, even if it is the right information, when they rely too heavily on SIEM.

"It's a common mistake trying to aggregate everything through SIEM. But it is only giving you one perspective and very commonly ends up being a black hole of information that is not actionable," he says.

According to Shackleford, SANS has seen organizations seek to move beyond just SIEM to analyze data and shift into more robust analytics techniques and platforms.

"We definitely see trends and the market is ready for this -- people have this need for analytics and intelligence wrapped together in these larger data sets," he says, explaining that at the same time only about 10 percent of organizations are confident in their intelligence and analytics capabilities. "Most people are still using traditional techniques, still using log management and SIEM platforms to pull all this together. So I say today analytics is still pretty much in its infancy. There's a lot of room for growth."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio