With cyberattacks and breaches on the rise, security should be a major concern for all companies. In particular, enabling the development of an analytics maturity model is a useful addition to your traditional security information and event management (SIEM)-based operations.
It is possible to step away from only applying the traditional SIEM model with its rule-based analytics and move toward an integrated approach. The security capabilities built over the last decades based on SIEM and security orchestration and response are valuable. However, organizations can now move toward a security model that leverages the power of the traditional SIEM model and data science.
Although there is not a one-size-fits-all approach when it comes to implementing a security analytics program, the security maturity model gives an indication of what one can expect and what many organizations have experienced. By identifying in which stage of the maturity model your company is, you can identify key milestones to focus on to move to the next stage as quickly and smoothly as possible.
The Cost of a Data Breach is Time and Money
A recent market study found that the average cost of a data breach is $3.9 million. As if this wasn’t enough, the same study also showed that a breach stays undetected on average for 280 days within the company’s environment.
What does the 280-day figure mean for SIEM-based analytics? Data analytics and business intelligence analyze huge amounts of data to identify anomalies or create predictions based on historic data, but SIEM operations focus on real-time events and correlation of events ranging from one minute to seven days ago. This timeframe is 273 days too short. In that time, indicators and traces of an attacker might get lost or might not be correlated with current events.
Instead, you can implement a new approach to security analytics based on data science. An approach, such as a maturity model, uses the same tools and skillsets but changes the context of security events, including their metadata. Many organizations already have a large number of skilled data analysts within their ranks who focus primarily on business intelligence and market analysis. With this approach to security analytics, you can expand this team by adding security-focused data analysts while using the skills, tools and culture of the company’s current data analytics team.
Security Maturity Model Stages
The core idea of a maturity model is to identify the current standing of security operations, as well as to determine what the next stage is and how to get there. The goal is to identify which areas to focus on in order to move to the next stage as quickly and smoothly as possible. This maturity model is focused on six dimensions: vision, operating model, data and technology, engineering and operations, change management and people and enablement.
Source: Joerg Stephan, Kim de Vries, Richard de Vries
The maturity model measures the maturity of a company. It functions as a guide on the journey toward full transformational maturity. In starting this journey, you will find colleagues in your company who have already thought through these phases and are waiting for the company to catch up.
1. Inactive
Sporadic business needs or individuals drive security analytics projects and dashboards. But, the organization does not have long-term security planning, roadmaps or governance. Sporadic activities may happen in small and/or isolated pockets across the organization due to a lack of a structured enterprise-wide mechanism or insight. Most of these analytical projects are only active in proof-of-concept or test environments.
Being inactive is tough, but it is also a nice place to be. In this stage, everything you do will have an impact right away. Consider founding a tribe or guild. Find the thought leaders in your company and give them the time and resources to explore how to use the maturity model framework to move to the next stage.
2. Aware
This phase is sometimes called “Explore.” Companies are aware of data-driven security analytics. They have started exploring the benefits and insights analytics could provide to increase resiliency. The organization is still primarily dependent on ad hoc processes and reporting for analytical insights. Decision makers consider feasibility and impact only to a certain extent. The company is aware of the need to support security analytics but has not put in place a strategy or methodology to do so.
3. Active
Security analytics slowly makes its way into daily operations. The security team is beginning to learn about and implement security analytics use cases beyond ad hoc requests. The use cases are starting to become more strategic and focused on structurally improving day-to-day operations and decision making. The reports go beyond descriptive statistics and tackle more strategic and insightful questions. These include trying to make inferences about future state models and risks. There is moderate management-level engagement with data-driven security analytics projects and their outcomes.
4. Operational
The organization uses data analytics to enhance understanding. Stakeholders use it in daily operations to support decision making at various levels and across departments. Management knows about all security analytics-related projects in the organization. However, the departments and their analytical insights have not fully integrated.
5. Systemic
Data analytics is starting to become the focus from the top down. Not only is security analytics part of day-to-day operations, but it also is becoming a strategic focus and part of the business strategy. C-suite stakeholders are committed, engaged and support the transformational program. The business strategy and plan for most teams are clearly defined and aligned with the security roadmap, planning and security governance. The predictions and insights are used for structural improvements throughout the organization and strategic direction.
At this stage, the organization should start cross-competency tribes to learn from each other and standardize tooling and data collection. It saves training costs and reduces downtime when cross-competency teams attend training together. Additionally, people from other teams can contribute to algorithms if needed.
6. Transformational
Companies that are truly transformational apply new tools and techniques and push for innovation. They aim to constantly grow data analytics capabilities and use them to achieve a competitive advantage. Data analytics capabilities are embedded in the organizational fabric with appropriate architecture and infrastructure underpinning performance. Every department explores security analytics use cases to optimize insights. Analysts combine information and data from different departments. They create holistic models underpinning the company’s security posture and detecting risks and threats.
Looking to the Future
Companies should focus on formulating a long-term security analytics strategy with a maturity model. This will provide direction and focus to the use cases. By creating this long-term vision, you can focus on the use cases that are needed and have the highest priority to ensure maximum effectiveness. Second, companies should focus on attracting and nurturing talent as early as possible. Having a dedicated and innovative team will help you move security analytics solutions forward. Lastly, companies should focus on transforming the infrastructure and data architecture to enable and optimize performance for security analytics.
Security Architect/Consultant, IBM Security EU-COC