ESG's Jon Oltsik talks with Stu Bradley of SAS Fraud & Security Intelligence, about SOAPA and Security Analytics. This is part 1 of a 2-part series.
Read the related ESG Blog: SOAPA Video with SAS Software
Watch part 2 of this video series: SOAPA Interview with Stu Bradley of SAS Fraud & Security Intelligence Division - Part 2
Jon: Welcome back to the SOAPA video series. I'm joined today by Stu Bradley, Vice President of Fraud & Security Intelligence at SAS. Welcome.
Stu: Jon, thanks for having me.
Jon: I've known SAS for a long time, being in IT, but I've known them for business analytics and analytics in general. Can you talk about SAS and its role in cybersecurity?
Stu: Well, clearly, there's been a lot of hype around the analytics space or artificial intelligence within security. And despite all of the investments that have been made, there still lacks the flexibility in how analytics are deployed to help address some of the cybersecurity issues. These investment are being made, and only 50% of analytic models are actually being deployed.
And over 80% of those analytic models take longer than 3 months to actually deploy into any type of production environment. This highlights the issue between data and value and the massive gap there, and also a massive gap between analytic models and actually driving a business outcome. So SAS's role, the role that we've been playing in analytics for well over 40 years is how do we take that data and drive that into a business outcome.
This gets to some of the point around, you know, why you actually want an analytics vendor managing your security analytics versus a security vendor bolting on an analytic application.
Jon: Yeah, that's a really good point because, at the end of the day, why do we do cybersecurity? To protect our business assets. So, with that in mind, what would be a typical customer size, industry, anything like that?
Stu: Well, I think the range of customers that we work with varies greatly. I think the one common thread for those customers is it's customers that are looking for an earlier identification of breach and helping address some of the false positive issues that have been surrounding analytic deployments to date.
Stu: We work with both IT and then operational technology environments, and we're really looking to have a full coverage over the scope of an organization's network, including any IP-enabled device that might not be suited for deployment of an endpoint agent.
Jon: Okay. So in my discussions with SAS, I've been very impressed with the way you've started. And you've always said to me, "What's really important is to look at the data.So what is the data you're collecting? What's the data model?" Can you elaborate on that for our audience?
Stu: Yeah. So it's been proven in our pedigree that about 80% of the time spent on analytics is all around management of that data. And the data orchestration, the data quality, the enrichment of that data oftentimes gets overlooked. And if you're overlooking that data and you're not driving efficiency into that data, you're going to not get the results out of your analytics that you desire.
So by enrichment, I mean looking at data sources across NetFlow and web proxy, DHCP, DNS, endpoint, firewall and ensuring that you can enrich those in real time, in-stream to be able to create a contextualized dataset for the application of analytics. And if you can get that right up front, your success in your analytic methodologies are going to be magnified.
Jon: For the audience's benefit, what do you mean by data enrichment?
Stu: So it's taking every authentication event that you have on your network and associating that to a device and, ultimately, a user and being able to leverage NetFlow as the first-class data citizen such that you get the behavioral profile, and you're enriching from an authentication event with all of the behavioral attributes, the way a device is communicating on a network, the activity on an endpoint such that you can get a holistic view.
You can also look at the peer groups of those users and devices and be able to not only analyze against past historical behavior, but analyze against the behavior of that peer group as well. And that gives you a much different view into the identification of security risk.
Jon: Sure. And I'm glad you mentioned risk because one of the use cases that you talk about is for risk identification and risk mitigation. So what are you doing there?
Stu: So we're ultimately looking at all of the devices on an organization's network and creating a risk score based upon behavioral aspects. We are applying a multi-pass analytic approach. So this not only identifies behavioral attributes that could be indicative of risk, but goes through a second pass and allows us to mine those behavioral events such that we can better associate it to an overall security risk and do a risk score.
And it's really showing great results in the reduction of false positives and ensuring that we can feed that contextual information to the security analyst such that they can do a more effective job of investigating that alert.
Jon: Yeah, and if you can do that, that's a CISO's dream to have that kind of risk scoring so that they can then take that to the business people, and they can do effective planning on cybersecurity investment. So you're in the right spot. Can you stick around for part two of a video?
Stu: I'd love to.
Jon: Okay. We'll be back soon with part two of our video with SAS.