Adoption of data analytics is within reach for a growing number of security teams as technology improves and costs come down. With an eye towards gaining more comprehensive situational awareness and insight into potential threats, many security teams now collect data from various internal and external sources. But how do you determine what data is actually valuable? How do you arrive at actionable outcomes? What’s the best way to build out this essential new capability?
Based on their experiences, some of the world’s most accomplished security executives – members of the Security for Business Innovation Council (SBIC) – have provided valuable advice for setting up data analytics processes in the SBIC’s most recent report, Transforming Information Security, Future-Proofing Processes. The report helps organizations to determine what data to collect and where to find it.
The council recommends a practical approach for those getting started: Look at the types of questions data analytics can answer, then think through what data can help answer those questions. Two example use cases are usage abnormalities and groundspeed violations.
For example, you may want to know whether system administrator activity on a particular system is representative of a legitimate user or an intruder. The answer could lie in unusual patterns of activity such as multiple sets of credentials being used in quick succession on one machine or an admin connecting into a system that is not associated with any of their work orders. Any usage abnormalities that are found bear further investigation.
For each use case, you’ll need to go through an iterative process with multiple cycles of data collection, algorithm development, testing, and refinement. If, for example, you were looking for ground speed violations, the process would look something like this:
Question: The security team asks “In which cases does a user logging into the network from different locations exceed ‘normal movement’ speeds – activity from two far-apart physical locations within too short an amount of time?”
Data collection: The security team looks for data such as geographic location of badge swipes in buildings, IP addresses, mobile-device connections, and static VPN connections; the timestamps in these logs; and corporate travel itineraries to indicate where the user ought to be.
Algorithm development: The data analyst develops an algorithm to generate a risk score based on the calculated speed at which the user is apparently moving.
Testing and refinement: The team determines which cases might be normal yet generate high risk scores. The algorithm is refined, perhaps with additional data to reduce false positives.
One possible challenge along the way is once you’ve determined what data would be useful, you realize it’s not readily accessible or the logs don’t contain all of the data you need. In some cases, the security team may have to go back to the original device and get logging reconfigured to capture the necessary data. The system owner may balk at increased logging because it could create system performance issues. Part of building a data analytics capability is how to negotiate with system owners in order to create more security-relevant logs.
For most security teams today, building a data analytics capability will always be a work-in-progress. It will take experimentation and skilled negotiations but meaningful analysis will lead to more sound, data-driven security decisions.
“The biggest challenge of data analytics is getting meaningful outcomes. You must take time to develop a cohesive strategy. Focus on the information that runs your business and develop the questions you want to ask. Otherwise you’ll be swimming in data.” Timothy McKnight, Executive Vice President, Enterprise Information Security & Risk, Fidelity Investments