With Security Analytics, Quality Means More Than Quantity

Written by Rohit Dhamankar, Vice President, Threat Intelligence, Alert Logic.

In the cybersecurity market, detecting attacks early — hopefully, before a breach occurs, but certainly as early in the kill chain as possible — and neutralizing them before damage is done is critical.

But success in today’s complex technology environment depends on security analytics and their effectiveness.

Security analytics is a generic term for a data-centric approach to cybersecurity. It combines software, algorithms, and analytic processes to analyze volumes of data and detect threats to information systems.

A discussion of security analytics often leads to the question of quantity. How many analytics does a solution have? How many should it have? The more analytics you have, the more protected your systems are, right?

Not necessarily.

With analytics, once you get beyond a minimum threshold, it’s the quality of the analytics that matters. The numbers game alone doesn’t mean much — it depends on what the analytic is aimed at and how deep it goes.

What does this mean?

The best way to explain this quality concept is through an example. Let’s say you have some expensive diamond jewelry stored in a vault in your home, and you want to keep them from being stolen. You secure the entrances to your home, but thieves are persistent, mounting nearly continuous assaults against your house, looking for any possible vulnerability or mistake in your security system.

What if they find a way in?

If you had a security system based on a set of analytics that tracked any time a piece of jewelry was removed and replaced, noted when these actions occurred, and flagged any activity considered suspicious or unusual, you could investigate and then take action to stop the items from being taken.

In other words, with a small set of targeted, behavior-based analytics, you can ensure your most valuable items are protected. Otherwise, you may need hundreds, if not thousands, of rule-based analytics continuously monitoring your environment to achieve the same level of protection.

Why does this matter?

One reason is false positives.

For example, a solution may claim to use thousands of analytics. But what do those analytics actually do, and what do they protect you against? Just because a solution touts thousands of analytics, doesn’t necessarily mean your systems have more protection.

This is because alerts and analytics are closely related: the more analytics you have, the more alerts you have. And more alerts often result in a higher number of false positives, which take time and energy to investigate. Security teams report wasting about 25% of their time chasing down false positives.

A second reason is effectiveness.

Although it is true that the traditional concept of the network perimeter has changed, there is still a layering aspect to security in that our goal is to stop attacks from penetrating our networks whenever possible. For example, we know web applications and web application management interfaces are attractive targets for attackers. Therefore, using targeted analytics, we can stop a lot of attacks before they ever gain entry to our networks.

Another example of this is protecting cloud infrastructure. A few targeted analytics can identity suspicious behavior such as login attempts from unusual locations across the globe, troubling API calls or requests to start up new infrastructure environments. This can help you cover the highest risks to your environment without overwhelming your system with trivial alerts.

Investigate the depth and breadth of analytics

Security analytics are essential for cybersecurity. But quantity of analytics alone doesn’t ensure your systems are protected. That’s why using a combination of approaches is important.

About the Author

Rohit Dhamankar is Vice President, Threat Intelligence, Alert Logic.

Dhamankar has over 15 years of security industry experience across product strategy, threat research, product management and development, and customer solutions. Dhamankar holds a Master of Science in Electrical Engineering from the University of Texas Austin and a Master of Science in Physics from IIT in Kanpur, India.