06 Oct 2015

Security Analytics explained: Why you should look at it?

For over a year, vendors and end users have been calling analyst firms like Gartner asking about “the security analytics market”.

“They are usually shocked at our answer: since there is no such market, there is no size to report,” Gartner research VP Anton Chuvakin said at the time.

Chuvakin’s problem at the time was largely in definition: while some security tools had an analytics capability, these tools were already categorised.

But Chuvakin’s tune started changing in just six months. “Security analytics – finally emerging for real?” he blogged.

Then, in April 2015, security analytics became a market in its own right.

“Breach detection is top of mind for security buyers and the field of security technologies claiming to find breaches or detect advanced attacks is at an all-time noise level,” said Eric Ahlm, research director at Gartner.

“Security analytics platforms endeavour to bring situational awareness to security events by gathering and analysing a broader set of data, such that the events that pose the greatest harm to an organization are found and prioritized with greater accuracy.”

There are a number of tools that broadly fall under the security analytics umbrella.

  • Security Information and Events Management (SIEM): These tools have been around for a while and basically examine logs to correlate potential threats in real-time.
  • Expanded Network Forensics (NFT): This is a category of products that aims to “capture, store, index, process, search and analyse all network traffic — with security intent — at a specific point (or specific points) in a network”, according to Gartner.
  • User Behaviour Analytics (UBA): These allow “user activity to be analysed, much in the same way a fraud detection system would monitor a user’s credit cards for theft,” Gartner’s Ahlm said.
  • Threat Intelligence Security Services (TISS): While this has some overlap with SIEM, these tools are used to “proactively monitor and mitigate malicious network traffic”, according to IDC.

While vendors are typically aligning their products under these categories in the security analytics market, others are still operating under slight marketing variations.

IBM, for example, uses the umbrella term ‘Security Intelligence’ to describe its offerings in the space. These include QRadar, a SIEM tool it bought in 2011.

Despite the emergence of tools that could broadly be fit under a security analytics umbrella, Gartner’s Ahlm believes “the security industry is [still] rather immature in [its] application of analytics.”

“As security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis,” he noted.

“Today, information about hosts, networks, users and external actors is the most common data brought into an analysis.

“However, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.”