Analytics and Intelligence Survey 2014 - CNS Group
Transcript of Analytics and Intelligence Survey 2014 - CNS Group
A SANS SurveyWritten by Dave Shackleford
Advisor: Barbara Filkins
October 2014
Sponsored by AlienVault
Analytics and Intelligence Survey 2014
©2014 SANS™ Institute
Despite perceived gains in security analytics and intelligence capabilities, many
organizations are still using the term analytics to describe what is fundamentally event
management and monitoring, according to the SANS 2014 Analytics and Intelligence
Survey recently taken by 350 IT professionals. By conducting
this survey, SANS had hoped to see more improvements in the
use and benefits of security analytics and intelligence. However,
security teams are struggling with visibility, and the use of
“intelligence” is slipping.
Only 29% of respondents are using these intelligence tools and
services today, down from 38% in our 2013 survey,1 and 39%
of respondents today say they lack visibility into application,
underlying systems and vulnerabilities, with 20% indicating that
it is their number one impediment.
The survey also shows that those who are properly deploying
analytics and intelligence are experiencing benefits of improved
visibility—but only to the degree that they are integrating across
platforms for security response.
Only 16% had highly automated and
9% had fully automated intelligence
and analytics capabilities today
within their overall IT infrastructures.
Yet, the survey also shows
respondents are putting more of
the correlation responsibility on
their service providers. As such,
SANS also expects that the service
providers and vendors should make
integration and automation a priority
for their customers in 2015.
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20141
Introduction
1 www.sans.org/reading-room/whitepapers/analyst/security-analytics-survey-34980
Correlation and Analysis
27%correlate threat intelligence data internally with security information and event management (SIEM) technology.
31%rely largely on service providers and other vendors to feed intelligence data to correlate it for them.
55% of those using A&I are experiencing improved correlation ability.
61%of respondents say analysis of “big data” will play at least some role in detection and response.
Getting Smarter
50% invest in third-party intelligence tools or services.
47%
47%
are still investing in SIEM tools to support analytics.
feel their intelligence and analytics practices are fairly automated.
58% are satisfied with their speed of detection and response.
Data Analytics
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20142
Data-driven information security is not new, but pinpointing its inception date is
probably impossible. One might consider the rise of intrusion detection systems (IDSs)
to indicate the start of this trend, thus starting in the late 1980s and benchmarked by a
1986 paper by Dorothy E. Denning and Peter G. Neumann that presented a model of an
IDS that forms the basis for many systems today.2 Since then, analyzing logs, network
flows and system events for forensics and intrusion detection has been an increasingly
complex problem in the information security community, with regulatory demands
increasing and the number of devices that need to be monitored exploding.
Subsequent surveys have shown that security information and event management (SIEM)
tools are now replacing log management tools to handle this explosion of security data.
The hope is that by correlating all types of security data coming at them, organizations
can finally find that “needle in a haystack” and gain visibility into what is happening.
Unfortunately, as past SANS surveys have shown, most organizations continue to
struggle with the means to analyze all this data, put context around it and provide the
visibility organizations need to see and stop threats coming at them. Some SIEM vendors
have moved forward with their own intelligence layer to wrap into the SIEM, while
others turn to third-party intelligence services to help connect the dots.
Even as more intelligence providers come on the scene to help organizations connect
the dots among their alarms, logs, network behaviors and other indicators of events,
security teams will need trained staff who can distinguish normal from abnormal
behavior and think just enough outside the box so that they can flag deviant behavior.
They should be able to do so through their SIEM or other security information
management platforms. Sorting through all the data manually will not be possible,
particularly when time is of the essence.
Since [1986],
analyzing logs,
network flows and
system events for
forensics and intrusion
detection has been an
increasingly complex
problem in the
information security
community, with
regulatory demands
increasing and the
number of devices
that need to be
monitored exploding.
ANAlytIcS:
the discovery (through
various analysis techniques)
and communication (such
as through visualization)
of meaningful patterns or
intelligence in data
2 Denning, Dorothy E., “An Intrusion Detection Model,” Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119–131. http://users.ece.cmu.edu/~adrian/731-sp04/readings/denning-ids.pdf
A broad range of industries, organization sizes and IT security budgets are represented
in the 350 participants who completed this year’s survey. As shown in Figure 1, the top
single category is the financial industry, registering 17% of respondents; however, the
aggregate government (federal, state/local and military) category comprises the largest
total sector represented, with a total of 21%.
The “Other” category, which accounts for 15% of the sample, includes such areas as
insurance, consumer technologies, IT services, cloud vendors and other such industry
segments, illustrating a widespread interest in analytics.
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20143
About the Respondents
What is your company’s primary industry?
Fina
ncia
l ser
vice
s/Ba
nkin
g
Hig
h te
ch
Hea
lth c
are/
Phar
mac
eutic
als
Tele
com
mun
icat
ions
car
rier/
Serv
ice
prov
ider
Gov
ernm
ent:
Stat
e or
Loc
al
Man
ufac
turin
g
Reta
il
Oth
er
Gov
ernm
ent:
Fede
ral a
genc
y
Gov
ernm
ent:
Mili
tary
Educ
atio
n
Ener
gy/U
tiliti
es
Aero
spac
e
Trav
el/L
eisu
re
Engi
neer
ing/
Cons
truc
tion
Figure 1. Survey Participant Industries
About the Respondents (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20144
Respondents represented organizations of all sizes, with large international organizations of more than 50,000 employees accounting for 19% of the sample, as shown in Figure 2.
The respondents also represented a variety of job titles and management levels, indicating that security team members who are familiar with analytics and event management are likely the operators of tools and day-to-day technical practitioners. See Figure 3.
How large is your organization?
Figure 2. Size and Geographic Scope of Respondents
50,0
00 o
r mor
e em
ploy
ees
10,0
00 to
24,
999
empl
oyee
s
2,00
0 to
4,9
99
empl
oyee
s
100
to 4
99
empl
oyee
s
25,0
00 to
49,
999
empl
oyee
s
5,00
0 to
9,9
99
empl
oyee
s
500
to 1
,999
em
ploy
ees
Few
er th
an 1
00
empl
oyee
s
Not
app
licab
le
International Business Domestic Business
What is your primary role in the organization, whether as staff or consultant?
Secu
rity
adm
inis
trat
ion/
Secu
rity
anal
yst
Oth
er
Inci
dent
resp
onde
r
Net
wor
k or
sy
stem
s en
gine
erin
g
Com
plia
nce
office
r/Au
dito
r
Secu
rity
man
ager
/ Se
curit
y di
rect
or/C
SO/C
ISO
Net
wor
k op
erat
ions
/Sy
stem
adm
inis
trat
ion
IT m
anag
er/
IT d
irect
or/C
IO
Fore
nsic
s pr
ofes
sion
al
Dev
elop
er
Priv
acy
office
r
Figure 3. Survey Respondent Roles
About the Respondents (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20145
However, more and more different security disciplines are interested in and involved
with analytics projects and concepts than ever before, as evidenced by the “Other”
responses, which included such titles as security architect, pen tester and security
contracts program manager—even one title that said “big data analyst.”
Based on responses, most security teams assigned to detection and response have
from two to four full-time employees, with duties split fairly evenly among employees.
There is also some overlap, with the same team members responsible for both detection
and response. This overlap occurs in both small organizations and larger organizations.
Figure 4 breaks down the number of full-time equivalents (FTEs) each organization has
in each role.
These results also align with the recently published SANS Incident Response Survey,3 in
which the most common dedicated response team size was three to five team members.
Team Size
Figure 4. Detection and Response Team Size
< 1
FTE
1 FT
E
2–4
FTEs
5–10
FTE
s
> 10
FTE
s
Resposible for detection Resposible for response Resposible for both
3 www.sans.org/reading-room/whitepapers/analyst/incident-response-fight-35342
More and more
different security
disciplines are
interested in and
involved with
analytics projects
and concepts than
ever before.
The number of respondents who don’t know if they’ve been hacked (24%) has actually
gotten worse since last year’s survey, in which only 20% didn’t know if they had been
hacked.
This response might indicate that organizations have less visibility into events and
attacks in their environments. It could also indicate a new level of honesty: “We’ve taken
stock of the environment, and we know we don’t know a lot,” which at least gives us a
healthy starting point from which to improve. See Figure 5.
Of those organizations that are able to detect attacks, more than 23% experienced 2 to 5
breaches or significant attacks in the past two years, while 6% experienced more than 50
attacks in the same time period. This is nearly double last year’s numbers (3%). This also
brings us back to the assumption that, despite the data available to them, organizations
are still unable to get the visibility they need to detect and respond to attacks.
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20146
Risks, Threats and Visibility
Percentage of respondents who
either didn’t know or had experienced no
breaches or attacks in the past two years
45%
How many breaches or significant attacks has your organization experienced in the past two years that required response and remediation?
Unk
now
n 1
6 to
10
21 to
50
Non
e (t
hat w
e kn
ow a
bout
2 to
5
11 to
20
51 to
100
Mor
e th
an 1
00
Figure 5. Number of Advanced Attacks in Past Two Years
Risks, Threats and Visibility (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20147
Time to Detection
Of the 55% of the responding organizations that have suffered a breach or significant
attack in the last two years, 54% indicated that the average time to detection for an
impacted system was one week or less. When asked about the shortest time, 59%
indicated breaches were usually detected within the same day. An additional 13% report
the shortest time to detection was within one week, and 4% chose within 3 months. On
the other end of the spectrum, some 5% of organizations indicated their longest time to
detection was more than 10 months. There are also many who indicated that they didn’t
know their best, worst and average detection times.
What do these responses indicate? Much like we saw in 2013, it seems that many
organizations feel they are detecting threats fairly rapidly. Many signature-based tools,
like antivirus, are still contributing to short detection times, but there have also been
improvements in intelligence based on event collection and analysis. (We’ll get to this
point later in the paper.)
Barriers to Detection and Response
When asked about their key impediments, visibility is directly implicated as a key
issue for respondents, 39% of whom cited lack of visibility into application, underlying
systems and vulnerabilities as their overall top impediment to attack detection and
response (20% indicated that it was their number 1 impediment). They also pointed
to lack of visibility across networks, with 25% overall selecting this option, and 22%
selecting lack of visibility into endpoints and specific users. Another 19% chose lack
of visibility into mobile devices, and 14% chose lack of visibility into cloud-based
applications and processes.
Percentage of respondents who
have had a breach or significant attack in the
last two years
55%
Risks, Threats and Visibility (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20148
A breakdown of responses is shown in Table 1.
What is even more enlightening is the high emphasis respondents place on other
impediments that are most likely the root causes of why there is a lack of visibility:
• Knowing what to look for (36% cite inability to understand and baseline normal
behavior)
• Having the trained resources to perform the analysis (30% cite lack of people, skills
and resources)
• Knowing what key information to collect and correlate (26% admit to not
collecting the appropriate data)
Given respondents’ answers to the size of teams handling response and remediation,
resources will continue to be a problem until the day that organizations can automate
and integrate their analysis, intelligence and response functions.
tAKEAWAy:
Visibility holds the key to
improved detection and
response capabilities.
Organizations need to
understand their environment
and what constitutes normal
and abnormal behavior, train
staff on how to use analytic
tools and define the data they
need to collect.
Table 1. Impediments to Attack Detection and Response
Impediment
Lack of visibility into applications, underlying systems and vulnerabilities
Inability to understand and baseline “normal behavior” (in order to detect abnormal behavior)
Lack of people and skills/dedicated resources
Not collecting the appropriate operational and security-related data to make associations with
Lack of visibility into the network
Lack of visibility into the endpoints and specific users
Lack of visibility into mobile devices
Lack of context to know what threats are important based on criticality of assets
Lack of external perspective/intelligence on new threats/indicators of compromise
Lack of visibility into the cloud-based applications and processes
Lack of central reporting and remediation controls
Overall
39.1%
36.2%
30.0%
26.3%
24.7%
22.2%
19.3%
18.5%
15.6%
14.4%
13.6%
First
19.8%
12.3%
11.1%
6.2%
11.9%
9.1%
4.5%
4.9%
3.7%
3.3%
2.1%
Second
9.5%
13.6%
9.5%
9.1%
7.8%
9.1%
8.2%
9.1%
3.3%
4.9%
2.5%
Second
9.9%
10.3%
9.5%
11.1%
4.9%
4.1%
6.6%
4.5%
8.6%
6.2%
9.1%
Risks, Threats and Visibility (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 20149
Alerting Mechanisms
Tried, tested and mature technologies still rule the alerting organizations respondents
use to detect real events in their enterprises, according to responses. The majority (57%)
indicated that traditional perimeter defenses like IDS, IPS and firewall platforms were the
tools that alerted them to their breaches first. Another 42% chose endpoint agents like
antivirus as providing their initial alerts about events. Figure 6 shows the full range of
responses.
Automated alerts from SIEMs alerted respondents 37% of the time, indicating that
next-generation SIEM can analyze and make intelligence alerts. Still, 32% of respondents
indicate that retrospective review of logs or SIEM-related data were responsible for initial
discovery.
Because respondents could choose more than one answer, organizations are clearly
mixing a variety of these choices into their incident detection and investigation. This
response also shows movement toward SIEM-based analytics and intelligence, which
can be programmed to make intelligent alerts and integrate with outside intelligence
services as needed.
How were these events brought to the attention of the IT security department? Please select all that apply.O
ur p
erim
eter
def
ense
s (IP
S/ID
S/Fi
rew
all)
aler
ted
us
Auto
mat
ed a
lert
fr
om o
ur S
IEM
Retr
ospe
ctiv
e re
view
of
logs
or S
IEM
-rel
ated
dat
a (la
rgel
y m
anua
l)
Endp
oint
mon
itorin
g so
ftwar
e al
erte
d us
aut
omat
ical
ly
An
outs
ide
part
y al
erte
d us
to m
alic
ious
beh
avio
r co
min
g fr
om o
ur n
etw
ork
A u
ser c
alle
d ab
out a
m
isbe
havi
ng e
ndpo
int
Oth
er
Figure 6. Initial Security Event Detection
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201410
The Role of Security Data Analytics in Building Security Intelligence
Despite market impressions that “big data” was a buzzword, respondents to this year’s
survey believe the concept is valid (whereas in 2013 they didn’t believe it was going to
stick). In this year’s survey, 36% feel that the concept of big data is key for detection and
investigation, and another 25% see the growing importance of big data and analytics in
event management and security intelligence (see Figure 7).
One thing is certain: Analytics solutions will need to integrate with numerous internal
detection platforms in an effort to increase visibility and improve security intelligence.
As you can see from Figure 8, tried and tested legacy technologies (firewalls, IPS, UTM)
are currently employed most frequently, as is host-based malware detection (which
accounts for the results in Table 1).
What is your take on the notion of “big data” (wherein SIEM, log management, endpoint, network traffic, application, access and
other records from systems are collected and analyzed for patterns)?
Figure 7. The Role of Big Data in Event Management and Security Intelligence
Big data is key for detection and investigation, now and in the future.
Big data will play some part in detection and investigation but isn’t central.
Big data is a buzzword. We just need adequate tools to analyze the data and recognize patterns.
Big data is a dead concept: It doesn’t work and never has.
Other
Percentage of respondents who
believe big data will play at least some
role in detection and investigation
61%
The Role of Security Data Analytics in Building Security Intelligence (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201411
Tools focused on users, applications and systems like NAC (32%), network-based
antimalware (31%), user behavior monitoring (29%) and others seem to be increasingly
planned for future integration. Security data from these devices should also improve
correlation and analytics.
What types of detective technologies do you need your analytics and intelligence capabilities to interface with?
Please indicate which ones are currently integrated into your environment and those that are planned but not integrated yet.
Fire
wal
ls/IP
S/U
TM d
evic
es
Hos
t-ba
sed
antim
alw
are
Log
man
agem
ent p
latf
orm
s
App
licat
ion
secu
rity
Net
wor
k-ba
sed
antim
alw
are
Use
r beh
avio
r mon
itorin
g
Uns
truc
ture
d da
ta a
naly
sis
tool
s
Vuln
erab
ility
man
agem
ent t
ools
SIEM
tech
nolo
gies
and
sys
tem
s
Endp
oint
sec
urity
—M
DM
NAC
(Net
wor
k Ac
cess
Con
trol
s)
Third
-par
ty a
naly
tics
plat
form
Ope
n so
urce
dat
a an
alys
is
tool
s (H
adoo
p)
Oth
er
current Planned
Figure 8. Current and Planned Control Integration with Analytics
tAKEAWAy:
Organizations are using or
planning to use a variety
of different tools. threat
intelligence data needs to
integrate with a wide variety
of security tools and platforms.
The Role of Security Data Analytics in Building Security Intelligence (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201412
Threat Intelligence
Threat intelligence is the set of data collected, assessed and applied regarding security threats, malicious actors, exploits, malware, vulnerabilities and compromise indicators. Its use allows organizations to more effectively plan and act for detection and response; more accurately pinpoint implicated users, systems and actors in an event; and connect the dots between event data collection and the steps or trajectory of the attack.
In 2014, 29% of respondents state that they don’t correlate log and event data with internally gathered data or external threat intelligence tools. In 2013, 38% of respondents stated that they were not correlating log and event data with any external threat intelligence tools. This difference indicates a slight growth in the use of threat intelligence tools and services.
Correlation may also be moving to a services model, with the largest group (31%) stating that their correlation is handled largely by the service providers and other vendors they rely on to feed intelligence data into the environment and update for them.
Figure 9 shows the breakdown of how threat intelligence data is being acquired and leveraged for detection and response programs.
The use of both external and internal threat intelligence is increasing, although correlation with existing security technology and processes is somewhat stagnant.
This actually shows some maturation of the intelligence industry since last year’s survey, with vendors and service providers stepping in to fill the gap where issues like standardization of event information and having the internal knowledge of events cannot be overcome by individual IT organizations.
thREAt INtEllIgENcE:
the set of data collected,
assessed and applied
regarding security threats,
malicious actors, exploits,
malware, vulnerabilities and
compromise indicators
tAKEAWAy:
Organizations need to look at
different options for collecting
and integrating both
internal and external threat
intelligence data with
existing tools.
How is your threat intelligence data gathered and used for detection? Select all that apply.
Figure 9. Collection and Use of Threat Intelligence Data
We have external third parties collect advanced threat information for us to use in our security detection.
We collect advanced threat information internally, usually through sandboxing, dissect it, and include it for future detection.
Our SIEM vendor works with intelligence agents and updates the intelligence data for us.
Our security analytic system intakes intelligence and indicators of compromise automatically, which enables improved detection.
We don’t correlate our event data with internally gathered intelligence data or external threat intelligence tools.
Advanced threat information is correlated manually against information collected in our SIEM.
Our security analytics system handles the intake of intelligence automatically behind the scenes and correlates it
against whitelisting/blacklisting and reputational information.
Other
The Role of Security Data Analytics in Building Security Intelligence (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201413
Automation
Automation is another avenue that can lead to better visibility. Based on responses,
automation of intelligence and analytics functionality is on the rise, with 25% (up from
9% in 2013) feeling that these functions are fully (9%) or highly (16%) automated, as
shown in Figure 10.
Surprisingly, 28% replied that they didn’t know the level of automation, which again
could be due to an overall lack of visibility into the environment and how it’s operating,
or it could be due to a lack of clarity on what constitutes analytics versus more disparate
tools and functions.
Level of Automation for Security Analytics and Intelligence Processes
Figure 10. Level of Automation
Fully automated
highly automated
Fairly automated
Unknown
tAKEAWAy:
greater emphasis on
automation is needed. By
increasing their automation
of intelligence and analytics
capabilities, organizations can
reduce the effect of lack of
trained staff, improve visibility,
and enhance detection and
response.
The Role of Security Data Analytics in Building Security Intelligence (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201414
Intelligence Services: Pulling It All Together
Fifty percent of respondents are currently investing in third-party intelligence tools or
services for security analytics and threat intelligence, while 36% are not. The rest (14%)
aren’t sure, which is likely due to different roles and involvement in these projects.
With such an increase in investment in intelligence, why do security professionals
still feel as if they have such little visibility? Without speculating too much, it may be
due to a lack of cohesiveness between tools and data at the current stage of many
implementations. This is likely exacerbated by the ongoing issue of silos between IT ops
and security, as indicated in SANS’ recent survey on Incident Response.4
The ideas behind central data aggregation and analysis are sound, including input
from and correlation with both internally and externally sourced threat intelligence
channels—but many organizations indicate they are in the earliest stages of
investigation and deployment of such tools.
In fact, when asked about the types of tools and services they were using for security
intelligence and analytics, their fill-in answers listing specific vendors were all over the
map: They listed SIEM, log management, malware sandboxing, web application proxies
and scanners, vulnerability scanners, and even firewalls and intrusion detection systems
vendors as their intelligence vendors. Each of these tools can collect data that can
facilitate developing an intelligence network, with their findings becoming valuable
information that can be used to stop similar future attacks.
While only 25% stated that their teams had highly (16%) or fully automated (9%)
intelligence and analytics capabilities today—which is not surprising, given the relative
immaturity in understanding of analytics architecture, data integration and definitions,
as well as integration with the complexity in threat landscape, data sources and data
volume—we expect this group to grow at a steady pace. Automation is key to more
rapid integration into detection, and response tools—and processes—and will probably
lead to a much higher likelihood of success with analytics overall.
4 www.sans.org/reading-room/whitepapers/analyst/incident-response-fight-35342
Automation is
key to more rapid
integration into
detection, and
response tools—and
processes—and
will probably lead
to a much higher
likelihood of success
with analytics overall.
Despite their lack of visibility, overall, users are experiencing benefits with the
capabilities they have rolled out. Of those using these capabilities, 58% are satisfied
with performance and response time, 55% are experiencing improved ability to quickly
correlate events and 51% are able to quickly identify compromised credentials and
phishing attacks. For those actively using analytics tools, reduction of false positives and/or
false negatives is a plus, as well, with a 50% satisfaction rating, as shown in Table 2.
However, we see dissatisfaction with current capabilities that echoes the impediments
to detection and response. The major categories in which users aren’t satisfied relate to
visibility (49% dissatisfied with their “Single consistent view across disparate systems and
users, including cloud services and mobile devices,” 48% dissatisfied with “Visibility into
actionable security events across disparate systems and users, including cloud services
and mobile devices,” and 43% dissatisfied with their ability to separate normal from
abnormal behavior). This is likely due to the interoperability issues discussed earlier and
may reflect market immaturity. Most respondents are also dissatisfied with the training/
expertise needed to effectively operate these tools (chosen by 48% of respondents) and
costs associated not only with the tools and their maintenance, but also with having the
trained personnel to use these tools for operations and analysis (chosen by 47%).
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201415
The Present and Future of Security Analytics
Table 2. Satisfaction with Analytics Capabilities Today
Current Analytics and Intelligence Capabilities
Performance and response time
Ability to quickly correlate events to users
Ability to identify compromised credentials and phishing attacks
Reduction of false positives and/or false negatives
Producing or having a library of appropriate queries/ meaningful reports
Ability to alert based on exceptions to what is “normal” and approved
Relevant event context (intelligence) to separate and observe “abnormal behavior” from normal behavior
Costs for tools, maintenance and personnel
Integration of intelligence with security response systems for proper response
Single consistent view across disparate systems and users, including cloud services and mobile devices
Visibility into actionable security events across disparate systems and users, including cloud services and mobile devices
Training/expertise required to operate intelligence systems/conduct analysis
Very Satisfied/Satisfied
58.4%
54.8%
51.3%
50.3%
45.7%
44.7%
43.7%
43.1%
42.1%
40.6%
40.6%
39.6%
Not Satisfied
33.0%
38.1%
40.1%
39.6%
41.6%
42.6%
42.6%
46.7%
43.1%
48.7%
48.2%
47.7%
The Present and Future of Security Analytics (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201416
Use Cases
For security teams actively using analytics platforms, what are the top three use cases driving the tools and services today? We asked a similar question in the 2013 survey and got some interesting results that align with this year’s data:
1. Finding new or unknown threats was the top “#1” ranking in this year’s survey by a wide margin, with 40% citing this as the primary use case, similar to the 2013 answers of “external malware-based threats” and “advanced persistent threats,” which together accounted for 39% of the #1 rankings.
2. Detecting insider threats was considered the second top use case by 23% of the respondents (10% ranked it as the top use case), which places it higher than its 2013 fourth-place ranking.
3. Overall, the top picks were finding unknown threats (55%), detecting insider threats (40%), improving visibility into network and endpoint behaviors (36%), and finding external malware-based threats (31%).
Figure 11 shows the breakdown from the 2014 survey.
These use cases indicate that, when used properly, intelligence and analytics are improving an organization’s ability to respond to threats faster, and some organizations are getting real value in finding unknown or hard-to-locate threats like insider activity.
When leveraging security analytics tools, what use cases do you find most valuable? Select up to three.
Find
ing
new
or u
nkno
wn
thre
ats
Visi
bilit
y in
to n
etw
ork
and
endp
oint
beh
avio
rs
Com
plia
nce
mon
itorin
g or
man
agem
ent
Det
ectin
g po
licy
viol
atio
ns
Base
linin
g sy
stem
s fo
r ex
cept
ion-
base
d m
onito
ring
(whi
telis
ting,
repu
tatio
nal s
ervi
ces)
Det
ectin
g in
side
r thr
eats
Det
ectin
g ex
tern
al
mal
war
e-ba
sed
thre
ats
Redu
cing
fals
e po
sitiv
es
Iden
tifyi
ng c
ompr
omise
d cr
eden
tials
Crea
ting
frau
d de
tect
ion
base
lines
Oth
er
Figure 11. Most Valuable Use Cases for Security Analytics
1 2 3
The Present and Future of Security Analytics (cONtINUED)
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201417
Looking Ahead
Training and staffing topped the list of future investments organizations will make to fill the gaps in their security analytics and intelligence programs, with 67% selecting this option. This staffing requirement may trend down somewhat if usability, visibility and correlation between datasets improve over time, although organizations will always need IT professionals who know what’s normal to distinguish abnormal behavior.
More likely, the human element will shift in nature, away from the personnel needing to know the nuts and bolts mechanics of just running the tools toward personnel actually using the tools to analyze the data, acquire valuable information and then provide intelligence from the analysis. See Figure 12.
The high ranking of improving response capabilities and investing in SIEM tools aligns closely with the overlaps between SIEM platforms and analytics tools this survey has shown us. While SIEM is still considered a separate category of security tools by most, more and more of these instruments are consuming and analyzing bigger data sets, producing reports focused on longer-term data analysis and behavioral baselines, and integrating threat intelligence from numerous sources. When implementing analytics and threat intelligence, all these categories will need upgrades in the coming months and years to keep pace with the threat landscape we’re facing now.
Where do you plan to make future investments related to analytics/intelligence in order to obtain better visibility and response?
Pers
onne
l/Tra
inin
g
Secu
rity
info
rmat
ion
man
agem
ent
(SIE
M) t
ools
Vuln
erab
ility
man
agem
ent
Net
wor
k pa
cket
-bas
ed d
etec
tion
Use
r beh
avio
r mon
itorin
g
Big
Dat
a A
naly
tics
engi
nes
Man
aged
sec
urity
ser
vice
pro
vide
rs
Inci
dent
resp
onse
cap
abili
ties
Det
ectio
n/Se
curit
y O
pera
tions
Ce
nter
upg
rade
s
Net
wor
k pr
otec
tions
(UTM
, ID
S, e
tc.)
Endp
oint
thre
at d
etec
tion
and
visib
ility
Inte
llige
nce
prod
ucts
or s
ervi
ces
App
licat
ion
prot
ectio
ns a
nd v
isib
ility
Mon
itorin
g fo
r clo
ud-b
ased
ap
plic
atio
ns
Oth
erFigure 12. Future Investments in Analytics/Intelligence
Based on the results of this year’s survey, there are several key takeaways for the security
community. Organizations that are deploying analytics and intelligence properly are
experiencing faster response and detection times, as well as greater visibility. However,
many are confused about how to integrate and automate their intelligence collection
processes, which vendors to turn to for help, and how to differentiate tools and services.
Despite this confusion, the use of tools-based threat intelligence (for example, through
the SIEM or SIEM integration with an intelligence feed) is growing. Vendors providing a
variety of tools can capitalize on connecting the dots between their tools for big picture
analytics, while security vendors with tools that gather intelligence information are
integrating with partners and providing APIs for further integration.
We are definitely moving in the right direction. The use of analytics and threat intelligence
to ferret out complex and stealthy threats from advanced attackers and insiders is
improving security for some; automation is improving; and intelligence providers are also
helping with the tricky problems of correlating event and threat intelligence data for their
customers. Overall, these tools and services are providing value to consumers, and they
should continue to improve response and visibility over time.
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201418
Conclusion
Dave Shackleford is the founder and principal consultant with Voodoo Security, a SANS analyst,
instructor and course author, and a GIAC technical director. He has consulted with hundreds
of organizations in the areas of security, regulatory compliance, and network architecture and
engineering. He is a VMware vExpert and has extensive experience designing and configuring secure
virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for
the Center for Internet Security. Dave is the author of the Sybex book Virtualization Security. Recently,
Dave co-authored the first published course on virtualization security for the SANS Institute. Dave
currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta
chapter of the Cloud Security Alliance.
SANS ANALYST PROGRAMSANS Analytics and Intelligence Survey 201419
About the Author
Sponsor
SANS would like to thank this survey’s sponsor: