TDWI Articles

Security Analytics: Our Last, Best Hope?

Predictive analytics, machine learning, automated decision rules, AI, and other security analytics technologies have transformed how we handle malicious hacking activity. Are they adequate?

Predictive analytics, machine learning, automated decision rules, artificial intelligence (AI), and other security analytics technologies have transformed how we detect, respond to, and prevent malicious hacking activity. Some experts see security analytics technologies as our last, best hope to combat an explosion in the number and variety of threats, attacks, and attack surfaces. Is this hope realistic?

Customers certainly seem to think so. Market watcher Gartner expects that by 2020, nearly three-quarters of all security products will embed some form of advanced analytics technology. Int'l Data Corp. predicts that global spending on information security technologies will approach $82 billion in 2017, driven in part by strong growth in technologies (such as vulnerability assessment and user behavioral analytics) that are being augmented by analytics.

Customers Want Smarter Security

For Further Reading:

Improving Cybersecurity with Artificial Intelligence Solutions

Cybercrime and Cybersecurity: The Best Defense is in the Cloud

5 Minutes about Cybersecurity

These are reasonable predictions. Systems, applications, and services are more exposed, threats are more varied, attacks are more sophisticated, and -- as the recent WannaCry ransomware attack ably demonstrated -- the stakes are higher than ever before.

It makes sense that customers would want smarter, easier to use, more prescient security technologies -- technologies that are capable of detecting malicious activity, offering guidance about responding and in some cases actually automating this response.

However, a majority of organizations -- 88 percent, according to a 2016 survey from the SANS Institute -- say they're already using security analytics technologies in their prevention programs. Why then do market watchers predict explosive demand for prepackaged solutions?

One explanation is that most of these (66 percent) say they're using in-house solutions, which raises legitimate questions about how SANS and the security professionals who responded to its survey define the term "analytics."

What's more, even though over half of respondents (54 percent) say their security analytics processes are at least somewhat automated, organizations still aren't making enough use of automation. Just 4 percent say their analytics processes are "fully automated," and a mere 22 percent have deployed security analytics technologies that use machine learning.

"We [have] a long way to go before analytics truly progresses in many security organizations. Without a doubt, the event management, analysis, and security operations skills shortage is the biggest inhibitor, and it's also the area most organizations rank as the top focus for future spending," writes Dave Shackleford, a principal consultant with Voodoo Security and author of the SANS 2016 Security Analytics Survey.

Automating Detection, Response, and Prevention

To address these challenges, security vendors are building new predictive and prescriptive analytics capabilities into their offerings, Gartner says. These capabilities are using advanced technologies such as heuristics, AI, and machine learning. A growing number of security analytics offerings also use cutting-edge behavioral anomaly-detection capabilities.

This is all well and good, so far as it goes, Gartner argues. However, getting the most out of security analytics isn't just a matter of integrating ever-more-powerful or feature-rich predictive and prescriptive detection and guidance capabilities.

Instead, Gartner says, vendors must work with customers to identify use cases "where analytics will deliver significant value and augment limited security staff and resources."

Gartner's research tallies with survey data from market watcher Forrester, which found that nearly three-quarters of enterprise security decision makers cite improved security monitoring as a "high" or "critical" priority. Forrester also finds that vendors are building more and varied security analytics capabilities into their products.

"Advanced detection technologies [such as] machine learning and behavioral anomaly detection identify threats without the need for rules or signatures," writes analyst Joseph Blankenship in The Forrester Wave: Security Analytics Platforms, Q1 2017. "[T]he added detection capabilities of machine learning and behavioral anomaly detection can identify and alert on potentially malicious activity."

Technologies that automate the detection of anomalies are in especially high demand. "The need for more advanced detection capabilities has been so great that this is where [security analytics] vendors have focused much of their development efforts, and today, detection capabilities have increased dramatically across the vendor landscape," Blankenship writes.

It's Not Just about WannaCry

It's tempting to chalk all of this up to WannaCry, the devastating ransomware worm that exploited a known (and patched) vulnerability in Microsoft's implementation of the Windows server message block (SMB) protocol. However, the vulnerability targeted by WannaCry would easily have been identified by conventional security monitoring technologies.

The truth of the matter is that security analytics has long been a hot issue for customers and vendors alike. More to the point, security vendors aren't the only players in this space. IBM, SAS Institute, Teradata, and other vendors that specialize in analytics also market security analytics products and services.

In early 2015, for example, SAS announced Cyber Analytics, a packaged cybersecurity offering designed to help enterprises identify and respond to hacks or breaches. Cyber Analytics, since rechristened "SAS Cybersecurity," uses supervised and unsupervised machine learning techniques to process, analyze, and synthesize tens of millions of system and network events at close to real time.

It's a big market -- and it's likely to get even bigger. Malicious hacking costs companies dearly: according to the Cisco 2017 Annual Cybersecurity Report, for example, organizations that disclosed data breaches in 2016 lost both customers (cited by 22 percent of affected organizations) and business opportunities (cited by 23 percent).

Automation and Machine Learning: Our Last, Best Hope?

Because the threat landscape is becoming more dangerous, organizations will flock to products and technologies that promise to automate anomaly detection.

This is no small feat, however. In many data breaches, for example, data leakage might not actually occur until several months after a system has been compromised. Not only must security analytics technologies be able to connect events that originate in different systems, applications, and services -- a growing proportion of which are geographically distributed -- they must also connect events that are spaced out over time.

Machine learning gives us one way to automate detection and (via decision rules) response, but few organizations are making use of it, according to SANS. Unsupervised machine learning techniques are likewise powerful tools for identifying unknown and unsuspected attack signatures and vectors, but unsupervised machine learning is dependent on specialized or highly esoteric expertise.

"Machine learning, an essential part of automating the analytics process, is still not widely utilized by security teams. In our 2016 survey, only 22 percent are utilizing machine learning capabilities in their analytics programs, while 54 percent are not. The remaining 24 percent weren't sure," Shackleford writes.

Successful Attacks Still Growing

Some machine learning is hypothetically better than no machine learning. Why, then, does SANS say the number of successful data breaches and attacks increased last year? First, the attacks aren't just more numerous, they're more sophisticated too. Second, having access to machine learning technology is one thing; making effective use of it is quite another. The problem is that there's a dearth of the human expertise that's required to deploy and use security analytics technologies.

"[Although] machine learning holds promise, a lack of automation capabilities and data science skills to analyze data from multiple tool sets may be partly responsible for a spike in successful breaches and attacks reported in this year's survey," Shackleford suggests.

Can security analytics technologies keep up? One thing's for certain: vendors in and out of the information security segment are doing their best to give the people what they want.

TDWI Membership

Accelerate Your Projects,
and Your Career

TDWI Members have access to exclusive research reports, publications, communities and training.

Individual, Student, and Team memberships available.