With cyberattacks and breaches on the rise, security should be a major concern for all companies. In particular, enabling the development of an analytics maturity model is a useful addition to your traditional security information and event management (SIEM)-based operations.

It is possible to step away from only applying the traditional SIEM model with its rule-based analytics and move toward an integrated approach. The security capabilities built over the last decades based on SIEM and security orchestration and response are valuable. However, organizations can now move toward a security model that leverages the power of the traditional SIEM model and data science.

Although there is not a one-size-fits-all approach when it comes to implementing a security analytics program, the security maturity model gives an indication of what one can expect and what many organizations have experienced. By identifying in which stage of the maturity model your company is, you can identify key milestones to focus on to move to the next stage as quickly and smoothly as possible. 

The Cost of a Data Breach is Time and Money

A recent market study found that the average cost of a data breach is $3.9 million. As if this wasn’t enough, the same study also showed that a breach stays undetected on average for 280 days within the company’s environment.

What does the 280-day figure mean for SIEM-based analytics? Data analytics and business intelligence analyze huge amounts of data to identify anomalies or create predictions based on historic data, but SIEM operations focus on real-time events and correlation of events ranging from one minute to seven days ago. This timeframe is 273 days too short. In that time, indicators and traces of an attacker might get lost or might not be correlated with current events.

Instead, you can implement a new approach to security analytics based on data science. An approach, such as a maturity model, uses the same tools and skillsets but changes the context of security events, including their metadata. Many organizations already have a large number of skilled data analysts within their ranks who focus primarily on business intelligence and market analysis. With this approach to security analytics, you can expand this team by adding security-focused data analysts while using the skills, tools and culture of the company’s current data analytics team.

Security Maturity Model Stages

The core idea of a maturity model is to identify the current standing of security operations, as well as to determine what the next stage is and how to get there. The goal is to identify which areas to focus on in order to move to the next stage as quickly and smoothly as possible. This maturity model is focused on six dimensions: vision, operating model, data and technology, engineering and operations, change management and people and enablement

Source: Joerg Stephan, Kim de Vries, Richard de Vries

The maturity model measures the maturity of a company. It functions as a guide on the journey toward full transformational maturity. In starting this journey, you will find colleagues in your company who have already thought through these phases and are waiting for the company to catch up.

1. Inactive

Sporadic business needs or individuals drive security analytics projects and dashboards. But, the organization does not have long-term security planning, roadmaps or governance. Sporadic activities may happen in small and/or isolated pockets across the organization due to a lack of a structured enterprise-wide mechanism or insight. Most of these analytical projects are only active in proof-of-concept or test environments.

Being inactive is tough, but it is also a nice place to be. In this stage, everything you do will have an impact right away. Consider founding a tribe or guild. Find the thought leaders in your company and give them the time and resources to explore how to use the maturity model framework to move to the next stage.

2. Aware

This phase is sometimes called “Explore.” Companies are aware of data-driven security analytics. They have started exploring the benefits and insights analytics could provide to increase resiliency. The organization is still primarily dependent on ad hoc processes and reporting for analytical insights. Decision makers consider feasibility and impact only to a certain extent. The company is aware of the need to support security analytics but has not put in place a strategy or methodology to do so.

3. Active

Security analytics slowly makes its way into daily operations. The security team is beginning to learn about and implement security analytics use cases beyond ad hoc requests. The use cases are starting to become more strategic and focused on structurally improving day-to-day operations and decision making. The reports go beyond descriptive statistics and tackle more strategic and insightful questions. These include trying to make inferences about future state models and risks. There is moderate management-level engagement with data-driven security analytics projects and their outcomes.  

4. Operational

The organization uses data analytics to enhance understanding. Stakeholders use it in daily operations to support decision making at various levels and across departments. Management knows about all security analytics-related projects in the organization. However, the departments and their analytical insights have not fully integrated.

5. Systemic

Data analytics is starting to become the focus from the top down. Not only is security analytics part of day-to-day operations, but it also is becoming a strategic focus and part of the business strategy. C-suite stakeholders are committed, engaged and support the transformational program. The business strategy and plan for most teams are clearly defined and aligned with the security roadmap, planning and security governance. The predictions and insights are used for structural improvements throughout the organization and strategic direction. 

At this stage, the organization should start cross-competency tribes to learn from each other and standardize tooling and data collection. It saves training costs and reduces downtime when cross-competency teams attend training together. Additionally, people from other teams can contribute to algorithms if needed.

6. Transformational

Companies that are truly transformational apply new tools and techniques and push for innovation. They aim to constantly grow data analytics capabilities and use them to achieve a competitive advantage. Data analytics capabilities are embedded in the organizational fabric with appropriate architecture and infrastructure underpinning performance. Every department explores security analytics use cases to optimize insights. Analysts combine information and data from different departments. They create holistic models underpinning the company’s security posture and detecting risks and threats.

Looking to the Future

Companies should focus on formulating a long-term security analytics strategy with a maturity model. This will provide direction and focus to the use cases. By creating this long-term vision, you can focus on the use cases that are needed and have the highest priority to ensure maximum effectiveness. Second, companies should focus on attracting and nurturing talent as early as possible. Having a dedicated and innovative team will help you move security analytics solutions forward. Lastly, companies should focus on transforming the infrastructure and data architecture to enable and optimize performance for security analytics.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…