Neon knight

Neon Knight

Security and Network Consulting

Originally Published: 2021-08-05

I have been interested in Security Analytics for some time now. I wanted to pen a piece about the economics of, and business case for Security Analytics.

Achieving a robust security posture is complex and requires many elements operating together and in an optimal manner to successfully lower the risk to reasonable levels. It is very difficult for C-Suite to quantify the value of security investments. I have said on previous occasions that there is a huge opportunity to better quantify the value of the holistic and individual elements of security solutions.

As an example. Properly deployed Segmentation is a powerful security architecture foundation. However, it can be very expensive, logistically complex and slow to insert into an operational network. It then requires continuous focus to keep rule sets current and effective. To try to quantify its value is hard. It is reasonable to summarise it as being highly effective, but comes with a high cost and a slow deployment time.

Onto the topic of Security Analytics. For the last 20 years I have been vocal about the need for Security Visibility. If you don’t have some form of visibility into security events occurring in your organisation, you have basically failed from the start. When recent major  breaches have occurred, post mortems regularly find that the perpetrators were inside the network for extended periods without discovery. 

To highlight the crying need for quality Security Analytics, look no further than the recent Solar Winds incident. Solar Winds was widely deployed on a global basis and in many environments handling both high-value and highly sensitive information. While the Sunburst malware used was reasonably sophisticated, it did utilise a heartbeat to communicate to an external Command-and-Control server. How many organisations detected this? None that I have found! In my opinion, this is dreadful indictment on the effectiveness of the Security operations landscape. 

There are many different ways to achieve Security Visibility including several highly effective open-source tools. If you have no, or little budget, these can provide a good starting point and are certainly way better than nothing. However, these only go so far. They do require expertise and often a reasonable time investment. While the tool may be free, the time investment and expertise isn’t. Also, they generally perform poorly against sophisticated malware.

I have previously spoken about Zero Trust. One of the foundational concepts of Zero Trust is understanding key information assets. In any business case for security, it is important to understand the financial and/or business impact if those resources were compromised through an event such as ransomware or extortion threatening public disclosure. The impact for many affected organisation has been severe to catastrophic.

I am aware of numerous situations where boards and senior management would not adequately fund proactive security measures, but were later happy to pay out potentially millions of dollars to ransomware organisations in an attempt to retrieve their data with an at-best probably of 50%. In many cases it was simply impossible to recover. Or key files, usually the large and critical ones like databases, were rendered corrupt.

The most key business benefit of a Top-Tier Security Analytics system is its Time-to-Value. These systems can usually be deployed quickly with a modest investment (emphasis added)!

At a technical level the deployment can be as simple as providing port mirrors at strategic points-in-the-network, potentially the Internet Perimeter and/or the Data Centre Perimeter, possibly others. Result – a sophisticated level of visibility can be quickly obtained. This places the organisation in a dramatically better position to react and is a component of Zero Trust Architectures.

It can’t be stressed strongly enough that should your organisation be hit with a Ransomware attack, and you need to enact an Incident Response, it is too late at that point to be looking to deploy tooling. Put bluntly, if this is not in place ahead of time, you’re screwed! 

Ransomware attacks have become far more efficient. In that past, miscreants may have been in the network for months. Today, ransomware attacks are often completed start to finish in less than 24 hours. It is a well-oiled industry now. The point being that tooling which allows rapid and accurate detection is now critical. You must be able to quickly and accurately detect the threat and its propagation vector to stop it.

Some other benefits of Analytics;

  • Can help to Identify assets, including shadow IT. Gaps or inaccuracies in asset inventories are a big issue.
  • Provide an ability to identify and accurately quantify many security risks. This allows more robust business cases for security investment.
  • Furthermore, it can provide a foundation for a Security Metric driven approach.
  • Provides early warning. 
  • Provides an Incident Response tool which can be quickly leveraged to identify the attack, its type, sources, affected devices, trajectories, etc. 
  • Sophisticated Analytics make it easier for your staff. It is a well-recognised problem that quality security staff are both hard to find and overloaded. Making these staff more effective through analytics tooling, should be a no brainer. 

While several years ago the analytics scene was full of over-statement and marketing dribble in relation to the use of machine learning techniques. Today, the top-tier platforms are genuinely leveraging ML in meaningful and impactful ways. 

In summary, I believe the Top-Tier Security Analytics platforms punch well above their weight in terms of value. I believe they are hugely under adopted and would encourage organisation to look into this technology space further.