June 28, 2016 By Chris Meenan 3 min read

If you were asked to name a current hot topic in security, would you say analytics? Chances are good that you might, especially if you’ve ever worked in an organization facing a cognitive overload situation. In addition to that data deluge, security teams face sophisticated adversaries, long and slow attacks, devious insider threats and successful phishing attacks. Daily incidents must be triaged and remedied in decreasing importance.

Security analytics can provide the vital signs needed to identify and rank these threats. Some analytical tools are excellent search engines that can be trained on security data, but without developing sophisticated queries accounting for multiple conditions, all they can produce are long lists of meaningless events — no basic prioritizations and limited network context. Such lists are then picked up by an insufficient pool of security analysts tasked with figuring out what, if anything, is going on. Is it a good day if you’ve found nothing?

Diagnosing Symptoms With Security Analytics

After listening to a video featuring IBM Senior Vice President John Kelly talking about cognitive solutions and Watson at MIT’s EmTech 2015 event, I couldn’t help but draw multiple parallels between health care and security industry challenges. Health care organizations face a limited pool of trained resources, including doctors, nurses, etc. Its practitioners must digest a huge amount of information in order to render accurate diagnoses. There are simply not enough hours in the day to treat all conditions even when working around the clock. Sound familiar?

What’s different about the security industry is that our patients (networks and infrastructure) don’t come to us complaining with a set of symptoms. Teams must employ sophisticated security analytics and other monitoring techniques to identify the case load. For example, their monitoring tools may flag a user account accessing a bunch of servers for the first time. Perhaps they detect an endpoint that is currently uploading more files to a system than it has within the last six months. Other solutions may reveal that a server is suddenly communicating with IP domains never before seen within the network.

These security symptoms are just that — symptoms. They could be the start of something new or a continuation of a previous incident pointing to a different root cause in the network. They might be completely benign (e.g., a new updating process, someone uploading family pictures over the weekend) or they could be really bad (e.g., a piece of malware dropping its payload).

It takes a skilled security operations center (SOC) analyst to investigate these circumstances. It’s similar to how skilled health workers consult patient histories, study current drug usage and more to identify the true illness and prescribe a treatment.

Two Types of Security Analytics

In both fields, there is a lot of learning that must take place to be effective. Insufficient depth of knowledge results in shortages of doctors or SOC analysts who are presented with more issues than they can typically handle. In security, it is time to start thinking about two types of analytics:

  1. Detection analytics: Identify when something isn’t right, correlate all related incidents and present threats in a prioritized manner. These capabilities are found within QRadar Sense Analytics.
  2. Diagnostic analytics: Identify the threat based on symptoms and present a prioritized list of resolutions based on previously observed or understood conditions. These capabilities are what Watson is doing in health care and what cognitive solutions are aiming for in security.

Both types of analytics are important for an effective security operations team to meet the challenges of today and tomorrow. So, the next time you are talking to vendors or partners on the eve a purchase decision, it might be worth asking to see their technology road maps — not only for detection analytics, but also for diagnostic analytics.

Watch the webinar: How to Sense Cyberthreats With the Most Advanced Security Analytics Platform

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today