What are the main challenges that security analytics can be used to address?
As a tool for the construction of stable and useful cyber security practice in an organisation, security analytics is as versatile as they come. With multiple uses, if deployed correctly and efficiently, it can set the tone for the rest of the security efforts, introducing efficiencies, covering gaps and alerting managers to potential risks.
All organisations of any reasonable size can benefit from some degree of security analytics. At the most basic, this might just be to have a single, master analysis of the open security risks.
At the beginning, to see what security analytics an organisation might benefit from, I would typically analyse the primary products and services it delivers, then how any security events had impacted or interfered with those operations. It is essential that an organisation’s security analytics fits the business itself, and that means a high degree of tailoring.
By running some basic root cause analysis on the most significant incidents, it is usually possible to identify what analytics might help to get those situations under control. This will have the benefit of allowing the security team to demonstrate to the business executive overseeing the programme where we are – and show the progress as we address the primary security problems.
However, when it comes to security analytics, each organisation can easily be overwhelmed by the options. One of the most frequent problems I see is simply that an organisation fails to understand from the start which security metrics and analysis results will provide it with the best return for its efforts.
If an organisation first establishes which questions it expects the security analytics to answer – and how it will use those metrics once they are available – it is more likely to be able to use the information to help improve its security position by identifying its remediation priorities.
I have found that a good approach is to first consider and design which metrics and key performance indicators (KPIs) the business executive overseeing the programme will expect and need. One option is to design the executive summary view of the metrics first, then define what operational analytical information will need to be collated to make that view possible.
Where to look
With that caveat, there are a lot of areas where security analytics can provide serious value.
When security analytics is working effectively, it can provide an easy way to visualise large amounts of information in order to identify trends or patterns more easily. Those patterns often highlight both strengths and weaknesses in an organisation’s security position.