Most Recent Blogs

There’s an old saying that change is the enemy of security. To avoid disruptive changes, many cybersecurity professionals strive for tight control of their environment and this control extends to the management of security technologies. Experienced cybersecurity professionals often opt to install management servers and software on their networks so that management and staff “owns” their technologies and can control everything they can.

Now this type of control has long been thought of as a security best practice so many CISOs continue to eschew an alternative model: a cloud-based security management control plane. 

Security teams collect a heck of a lot of data today. ESG research indicates that 38% of organizations collect, process, and analyze more than 10 terabytes of data as part of security operations each month. What types of data? The research indicates that the biggest data sources include firewall logs, log data from other types of security devices, log data from networking devices, data generated by AV tools, user activity logs, application logs, etc.

ESG recently surveyed 412 cybersecurity and IT professionals asking a number of questions about their organization’s security analytics and operations. Overall, security operations are quite difficult, many organizations complain about too many manual processes, too many disconnected point tools, and a real shortage of the right skills. These issues can lead to lengthy incident detection and response cycles or worse yet, damaging data breaches. Just ask Equifax.

Old friend Mike Banic recently stopped by ESG to kibitz about ESG’s SOAPA concept. Mike brings a world of experience to this topic. As VP of marketing at Vectra Networks, Mike sees enterprise challenges around security operations, and then works with customers to address their issues. 

In part two of our video series, Mike and I focus our discussion in a few areas including:

• Machine learning. In a recent ESG research survey, only 30% of cybersecurity professionals claim they are “very knowledgeable” about the role of machine learning and AI for cybersecurity operations. Given this, I asked Mike to act as an industry spokesperson to define machine learning and explain where it fits in cybersecurity operations. Mike says that machine learning is used to find features and patterns in the data so you can train the model to look for malicious behavior like a remote trojan suddenly beaconing out to an external IP address. 

ESG recently published a new research report titled, Cybersecurity Analytics and Operations in Transition. The report is based upon a survey of 412 cybersecurity and IT professionals directly involved in their organization’s security operations processes.

As part of the survey, respondents were presented with several statements and asked whether they agreed or disagreed with each. Here are a few of those statements with my analysis.

• 73% of survey respondents strongly agreed or agreed with the statement: Business management is pressuring the cybersecurity team to improve security analytics and operations. If you want proof that cybersecurity is a boardroom-level issue today, here it is. The good news is that the survey also indicates 81% of organizations plan to increase their security operations budget so business executives are willing to throw money at the problem. The bad news is that the cybersecurity team is now on the hook to deliver measurable improvements and ROI. 

Old friend and VP of marketing at Vectra Networks, Mike Banic, stopped by to discuss ESG’s security operations and analytics platform architecture (SOAPA) and its impact on cybersecurity. In part 1 of our discussion, Mike and I chat about:

• Why network telemetry is so important for security analytics. Mike reminds me that ‘the network doesn’t lie.’ In other words, cyber-attack kill chains are synonymous with network communications so threat detection equates with knowing what to look for within network traffic patterns.

In this video blog, my colleague Jon Oltsik and I discuss some of the insights from ESG’s cybersecurity research we expect to be topical at Black Hat USA 2017, including:

• The challenges and solutions around security operations and analytics and the need for a security operations and analytics platform architecture (SOAPA).
• The constant state of change in the endpoint security landscape in which organizations regularly re-evaluate processes, technologies, and vendors.
  

Old friend and Exabeam CMO, Rick Caccia, returned for some additional banter around SOAPA. Part 2 of our video discussion features:

1. A discussion about market confusion around machine learning/artificial intelligence for security analytics. Rick explains that AI depends upon pre-built use-cases and that customers must understand what they are (and aren’t) buying when they look at this technology.
2. How user behavior analytics (UBA) evolves into SOAPA. Rick outlines the transition he’s seeing in the market and how customer needs are driving Exabeam’s architectural R&D.

As an architectural solution, a security operations and analytics platform architecture (SOAPA) provides software services and interfaces for data exchange, product integration, and deep analysis of security data. This gives organizations the opportunity to replace existing point technologies or integrate individual technologies into a systematic architectural solution. 

Enter Exabeam, a company focused on delivering its own architecture for security analytics and operations. Exabeam offers products for log management, user/entity behavior analysis (UEBA), and security operations automation/orchestration. Furthermore, each individual product can be combined into SOAPA for enterprise organizations. 

My colleague Doug Cahill and I spend a lot of time thinking about security operations and analytics these days. Why? Enterprise organizations are under constant attack from increasingly sophisticated cyber-adversaries so they need better situational awareness about their security posture at all times.

Unfortunately, many organizations aren’t doing a very good job in this area. Many anchor security operations to an amalgam of point tools that don’t interoperate. Security operations often depend upon manual processes and the wisdom of a few key employees. And let’s not forget that when it comes to cybersecurity, many organizations remain understaffed and lacking the right skills. ESG research from earlier this year indicates that 45% of organizations say they have a “problematic shortage” of cybersecurity skills today.

Just how bad are these problems and what can be done to address them? Doug and I will discuss these and other security operations topics in an upcoming webinar in July.