Security Analytics: What it is and what it is not

There’s a misconception in the cyber security industry that many IT, security executives and vendors subscribe to.  They equate security analytics to SIEM and user and entity behavior analytics (UEBA). They use the three terms interchangeably as if they are all one of the same and solve the same problems. As a result, companies waste time, leave gaps in their visibility, ability to execute and ultimately fail to minimize their cyber risk.

In a report released this month, analyst firm Forrester states, "Security analytics has garnered a lot of attention during the past few years. However, marketing hype and misunderstandings regarding security analytics have confused the market, making it difficult for security and risk leaders to make information decisions". This statement couldn’t be truer. UEBA and SIEM tools are supporting components of security analytics, but are not equivalent.

Companies today mainly use SIEM tools for log management. They collect events coming from routers, switches, firewalls, network devices, security tools and every other piece of infrastructure that generates a log. SIEM is a useful tool when it comes to complying with the Payment Card Industry Data Security Standard (PCI DSS) which mandates companies to present data from 90 days prior to prove they have adhered to certain requirements. SIEM tools also help investigators in post-breach forensic investigations to figure out what happened.

However, businesses can only do so much with a SIEM. It’s a highly resource intensive, laborious task to store, process and retain thousands of daily events. Security managers spend a third of their day making sure SIEM agents are up and running correctly, which many times they are not. They are so busy trying to keep up with log files, they cannot even leverage their SIEM’s limited analytics capabilities. If they do use them, it requires significant data skills, requiring security managers to create rules to tell the tool what kind of suspicious activity they are looking for such as, "show me every time an administrator created and deleted a temporary asset directory in a 24 hour period".  The sources of log data constantly change with new devices coming in and out, routers switching, new servers, etc. so it takes even more time to adjust the rules.

As the Forrester report states, "Security and risk pros have long lamented the high number of alerts their SIMs (a.k.a. SIEMs) produced. This created a can’t-see-the-forest-for-the-trees scenario of false positives alerts that reduced actual visibility". The abundance of alerts and rules-based requirements is a recipe for failure when it comes to effectively using a SIEM to facilitate rapid incident detection, analysis, and response. SIEM is a valuable tool for some SOC functions but it should not replace a security analytics platform. It is merely one part of the security analytics picture.

User and entity behavior analytics is another important component of a security analytics platform.  IT and security executives have been underwhelmed by vendors promising UEBA as the key to combating insider threats when in reality it is an important piece of the puzzle, but only one piece. UEBA is one of many threat detection methods. It identifies risky or unusual behavior but lacks the context incident responders need to decipher whether or not a threat is real or important. Responders need to know if the threat is to an asset that is highly valuable to the company and if there’s an associated vulnerability. Without either of those components, responders do not know if the threat needs to be actioned immediately or if it can be put on the low priority list.  As Forrester says, "Standalone analytics products are not security analytics platforms…Forrester views SUBA (security user behavior analytics) as a feature or capability that must integrate with your security analytics platform".  Security user behavior analytics is only a means to an end.

A security analytics platform collects, analyzes and correlates information from company’s existing security tools, which includes SIEM and UEBA, so that IT and security leaders as well as other stakeholders within companies have visibility into the most pertinent information related to their cyber risk and can take action accordingly. By providing full transparency, the platform enables IT and security leaders to hold line-of-businesses accountable for minimizing risk to valuable assets under their management and to help investigators action the most critical threats based on the value at risk. Security analytics also give traceable and accurate data that IT and security executives can bring to their boards of directors so that they can make informed decisions related to the company’s cyber risk.

Until the confusion is cleared among the cyber security community, companies will continue investing in products that do not meet expectations while not getting the full benefit from tools they have already purchased. Despite what the marketing hype says, security analytics is not SIEM nor user and entity behavior analytics. It encompasses both of those elements and so much more.

credit: sommthink/Shutterstock

Steven Grossman is Vice President of Program Management, Bay Dynamics. He has over 20 years of management consulting experience working on the right solutions with security and business executives. At Bay Dynamics, Steven is responsible for ensuring our clients are successful in achieving their security and risk management goals. Prior to Bay Dynamics, Steven held senior positions at top consultancies such as PWC and EMC. Steven holds a BA in Economics and Computer Science from Queens College.