The Promise (and Challenges) of Cybersecurity Analytics
Cybersecurity threats can develop quickly, and teams must react to them in near-real-time to prevent substantial harm. As a result, many organizations are turning to cybersecurity analytics to accelerate threat detection capabilities.
Analytics hold the promise of enabling better security performance, but it must be built on a solid foundation. Organizations often adopt analytics tools without first laying the critical foundation of standardized data classification, measurement of data quality, and effective data governance.
The result: Many organizations struggle to derive meaningful insights from cybersecurity analytics due to data quality issues. In a recent study, respondents experienced significant gaps between what they expected their security analytics tool would detect, and what they actually ended up detecting— and 66 percent of respondents blamed their sub-optimal performance on fundamental data quality issues.
Targeted Cybersecurity Analytics
It’s no surprise that deriving security insights from low quality data will consistently disappoint. We also recognize that most organizations generate massive amounts of security data, which makes undertaking a single, comprehensive organization-wide data improvement process unrealistic.
To adhere to an iterative approach to data quality improvement, we recommend organizations rapidly improve their most valuable data quality and security insights through a three-step approach:
Step 1: Analyze Data Criticality
First, focus on improving your most critical data. To identify this, consider the exact security outcomes that you seek. List these high priority outcomes and prioritize them by estimating the probability and impact of each. Then, look at your most valuable outcomes, define how detection can support them, and determine which of your specific data elements will contribute the most direct value.
For example, you might determine that your organization’s highest security priority relates to detecting malicious user activity. In that case, it will make sense to begin by focusing on end user behavior data. This data can include network and authentication logs, user activity logs, access by geographical location, session durations, and many other data elements. While this list may be long, it will help you identify security data that will be most critical to improve.
Step 2: Prioritize Quality Improvement Opportunities
Second, identify “low hanging fruit” opportunities. You will most likely have a large list of valuable data sets that contribute meaningful information to your critical detection capabilities. You cannot improve all these data sets at once, so you will need to determine which data to improve first.
To do so, you must create a clear, objective picture of which activity will produce the most relative value. First determine the amount of effort required to improve each data set. Then, define the projected value that you will generate from each improvement. Correlate the two for each of your data improvement opportunities and compare them.
Consider this, if you must improve end user behavior data, then you might ultimately find “low hanging fruit” in your Identity & Access Management system’s data. This data tends to have a critical risk warning value for malicious user activity, and it tends to be more structured and governed than other user behavior data, making it relatively easy to improve compared to the high value that it offers.
Step 3: Iteratively Improve Data Quality
Finally, don’t get stuck in perfectionism. Even small improvements can be enough to stop a damaging breach. To take immediate action, unlock quick wins, and iteratively build better data quality, it is useful to break the total work required to capture your highest-priority opportunity into two-week sprints, each with its own defined activities, outcomes, and improvements.
To determine which improvements to implement first, it is wise to follow a similar prioritization process as outlined in step two— simply define the highest-value, lowest-effort work sprints in your top priority data set. For an Identity & Access Management system, it might make sense to ensure accurate and appropriate user access controls to your critical networks, applications, and assets during your first sprint, to limit access to your “crown jewels” to only your most trusted users.
In our experience with clients, these steps set the stage to perform increasingly efficient and effective security processes. With the completion of each iteration on data quality improvement, teams generate better data-driven insights to continuously improve security performance.
Analytics to Activate Your Security Program
Organizations that are disappointed by the insights from their security tools should consider selective, value-driven data quality improvement efforts. Prioritizing data quality improvement efforts relative to security performance outcomes can help optimize operations.
Your team will be better positioned to harness the power of technology and analytics to detect and respond to threats, and your cybersecurity tools will finally begin to live up to their promise and deliver accelerated security incident detection. Ultimately, security analytics cueing can drive down incident response times, which in turn reduces the risk that sensitive data will be compromised.