Advanced tools like threat-intelligence services and SIEM systems can help enterprise teams reach their security...
goals, but only if they're used effectively. The thorough exploitation of security analytics -- that is, making the most of both the intelligence data collected from millions of sensors around the world and via the enterprise's own security information and event management system -- is essential for enterprise security. In this chapter, we look at five major mistakes to avoid to ensure that threat-intelligence and security analytics projects yield real results.
1. Absence of specialists and teamwork. A successful analytics project needs a diverse mix of skills and personalities; without the right combination of skill sets, there's little chance of success. It's not just a case of hiring data scientists either. To achieve enterprise security goals, a team also needs specialists who understand the threats and vulnerabilities the organization faces, forensic experts who know how cyberattacks unfold, network architects and senior managers who can identify the business's key processes and drivers. Communication skills are key; they rank as the single most important attribute when managers were asked what makes a good security expert. Don't let poor communication and collaboration hinder the creative data exploration needed to unearth today's sophisticated attacks.
2. Lack of customization and data exploration. Machine learning, behavioral analytics and advanced automation are becoming standard features in top-level SIEMs, but analysts need to customize and fine-tune them to their particular environment. This will improve detection rates and reduce false positives. Use threat modelling to determine where to concentrate research efforts, and always update models whenever there are major changes to the network infrastructure or new attack vectors are discovered. Security analytics also has to be more than just monitoring and responding to alerts; hunting down indicators of compromise and data points of real importance requires an investigative approach, constantly questioning what is happening on the network and being ready to challenge conventional thinking.
3. Assuming more data equals better security. There's no point in sourcing additional third-party threat intelligence unless internally generated data is fully explored. Traditional security controls such as firewalls, antivirus software, secure web and application gateways, and intrusion protection and detection systems should already be providing vast amounts of data that can reveal issues that need deeper investigation. It's only once this data is being effectively collected, collated and scrutinized that external threat intelligence feeds can really help in the hunt for malicious activities.
4. Vague objectives with no executive sponsorship. The security goal inherent in any analytics project is to improve overall defense of both systems and data. But without proper planning, focus and budget, efforts can easily become misdirected, leaving everyone involved frustrated at the lack of progress. Without clearly defined objectives, data analysis is unlikely to consistently produce fresh insights and actionable findings, only vague pointers to unprioritized problems. Getting the best out of third-party intelligence feeds and deep data analysis won't happen overnight, and project schedules and budgets need to reflect this so early expectations can be managed. Executive sponsorship will help here and with ensuring that internal wrangling doesn't limit access to important data sets needed to gain a truly holistic view of the IT environment.
5. Insufficient metrics to evaluate progress. Effectively meeting corporate security goals requires that defensive strategies be continually reviewed and advanced due to the fast-changing nature of cyberwarfare. Those tactics that are working or need improving are far easier to spot if metrics are collected to monitor changes in the number and types of security events. Security teams should assess the performance of a security analytics program by measuring key metrics, including these four:
- average time to detect and respond;
- false-positive reporting rate;
- incident response volume; and
- percentage of security incidents detected by an automated control.
Taking these and other absolute metrics and mapping them to the risks and threats that most concern stakeholders will enable everyone to understand how well the program is achieving its objectives.
Proactive, intelligence-driven security is essential to tackling the challenge of reducing the time between compromise and discovery, and ensuring enterprise security goals are met. Security analytics is one of the best ways of achieving this. But better intelligence doesn't automatically lead to better security. There needs to be a clear mandate and defined scope, metrics to measure success, and C-level sponsorship to yield real results.
Learn more about how threat intelligence works
Need to acquire a threat intel service? Read our buyer's guide before you approach vendors
What role does human intelligence play in assessing security threats?