Share this article on:
A recent Ponemon Institute study has delved into the use and effectiveness of security analytics solutions. The study shows that while security analytics solutions can help organizations improve their security posture, there are many challenges with both deployment and day to day use.
The purpose of the study was to find out how – and how much – these solutions are helping organizations and where they are failing.
The study, which was sponsored by analytics firm SAS, was conducted on 621 IT and IT security professionals in the United States that are involved with security analytics in their respective organizations. 87% of respondents said they personally used security analytics solutions in their organization, while 80% of respondents said those solutions were fully deployed.
Most commonly, security analytics solutions are deployed after a cyberattack has been suffered. 68% of organizations said an attack was the main driver for implementing an analytics solution. 53% said it was fear of a cyberattack or a successful intrusion that spurred them to start using an analytics solution, while 44% said they deployed an analytics solution to meet compliance requirements.
The most common analytics solutions are tools that have been developed in house, which are used by half of organizations, while a Security Information and Event Management (SIEM) solution was used by 47% of respondents. Those solutions were deployed on premise and in the cloud by 40% of respondents. 33% said they only used the solution on premise, while 23% only used the solution in the cloud.
There are clear benefits to using a security analytics solution, although deployment is challenging. The solutions require extensive configuration and tuning before they are effective. 56% of respondents said they found deployment difficult or very difficult.
Other major problems were the sheer volume of data that needs to be analyzed – a problem for 51% of respondents – and getting access to the necessary data – rated as a problem by 45% of respondents.
Once access to the required data has been achieved, the challenges do not stop. 66% of respondents said they experienced problems with data quality, while integrating data was an issue for 65% of respondents.
The main purpose of security analytics solutions is to gain insight into security events as they happen. 72% of respondents wanted to see what was happening now, while 69% said they used the solutions to find out about past security events. 65% of respondents used the solutions to provide advance warnings about potential internal and external threats.
That said, many respondents were failing to detect the threats they most wanted to find. Half of respondents wanted their analytics solutions to detect data exfiltration, yet only 33% of respondents said their solution had that capability. 40% said they wanted to use their solution for adversary reconnaissance, but only 35% said their solution was capable of providing that information. 36% wanted their solution to detect lateral network movement, yet only 31% of respondents said their solution provided that information. Detecting malicious insiders and internal threats was important for 36% of respondents, yet only 23% said their solution had the necessary capability.
Information is needed quickly for it to be most beneficial, yet only 28% said their solution could provide information in real time or every few minutes. 40% of respondents said their solution only provided data hourly or daily.
The overwhelming feeling was the use of security analytics solutions had helped to improve security posture. One of the most important benefits was the reduction in false positives when analyzing anomalous traffic. Before the solutions were deployed, 80% of respondents said it was difficult to reduce false positives, although that figure fell to one third after a security analytics solution had been deployed.
There may be many challenges with deploying and using security analytics solutions, but 61% of organizations said their solution was critical to their cyber defenses. 71% of respondents said their organization is planning on increasing the use of security analytics in the next 12 months.
“Security analytics clearly isn’t as effective as security practitioners need it to be,” said Stu Bradley, Vice President of Cybersecurity Solutions at SAS. That said, “building analytic sophistication ultimately pays off in improving organizations’ ability to discover, detect, investigate and respond to security events in a reliable, repeatable way.”
As for the challenges in deploying security analytics solutions, Bradley offered some helpful advice
“Nearly all solutions require initial configuration and tuning for optimal performance,” however, “organizations can avoid many pitfalls by clearly defining workflows and project goals before starting an implementation.”