Cyber-security analytics: how to make the numbers meaningful

John Smith, looks at the wealth of data churned up by cyber-security analytics and how vendors have a responsibility to make the numbers actionable.

John Smith, principal solution architect, Veracode
John Smith, principal solution architect, Veracode

Analytics have always been the lifeblood of the cyber-security industry. But what was once confined to the lab has now become an important part of many enterprises' cyber-security programme, as emerging threats increasingly challenge traditional automated solutions, such as anti-virus or simple vulnerability scanning.

But with an analytics package available for almost every security layer in the IT environment, many CISOs are facing data overload. As a result, this massive quantity of niche analytics provides very little actionable insight and massively diminishing its real value as a tool.

Don't provide data for data's sake

Too much data and too little understanding on how to use it is becoming an increasing problem for most teams. Security information and event management (SIEM) technology, for example, remains the anchor to many companies' cyber-security strategies, by providing real-time analysis and generating security alerts for issues found across network hardware and applications. Yet these solutions increasingly struggle to provide actionable insight.

As the wealth of data and the size of IT environment grows drastically with the Internet of Things, cloud and BYOD (bring your own device), SIEM tools just flag up more and more alerts. With no sense of prioritisation or insight on how these threats can be mitigated, the alerts often go ignored and provide no great value to the security team.

It's no longer enough for analytics packages to just add to the noise and massive quantity of data that IT departments are wading through. Few companies have anywhere near the amount of resources and manpower necessary to analyse, prioritise and action all the different alerts and queries that these devices constantly throw up.

Setting standards

This is certainly true of application security, where there are no standards defining what an acceptable security flaw density is, which criticality of defects is acceptable, or even what remediation timeframe is adequate. And in a threat space, which is continuing to grow in size and sophistication and from which no industry is spared, a poor understanding of the landscape could have disastrous consequences for a business.

So, whilst many application security analytics programmes remain important for detecting flaws, plenty still just throw up alerts and numbers with no context. This ultimately provides little actionable information to companies about how they're doing and what more they need to do.

We find many of our tuned-in customers frequently coming to us asking for help in benchmarking their performance. Many come to us with questions, such as, “Do I have more serious security vulnerabilities than my peers?” and “What percentage of vulnerabilities do my peers remediate?” With some organisations still only assessing a small percentage of even their internet-facing applications, answers to these questions can provide companies with the wake-up call and actionable insight that will help them make important changes to their cyber-defences.

Making analytics actionable

Our State of Software Security report shows the financial services industry leading the way with 42 percent of their applications compliant with the OWASP Top 10 Policy (the widely accepted standard for application security) on first risk assessment, companies get a clear understanding of the current standards for software security.

Financial services companies with a far lower percentage of compliant applications would clearly understand that they need to do significantly more work to reach the industry standard for software security. 

Each IT environment is unique with its challenges and strengths, and use of analytics can potentially drastically change how we approach cyber-security. By enabling CISOs and IT directors to delve into their networks, endpoints and applications, companies can move away from a one-size-fits-all approach to cyber-security and adopt a truly personalised programme. But we can only do this if we can find a way to make that data mean something itself.

As an industry we have a responsibility that when providing customers with analytics programmes we also provide them with the tools to make the analysis actionable. Rather than just throwing more information at them, it's down to us – the experts - to do the legwork that will ensure that the information is usable and takes very little interpretation by the organisation to action.

Contributed by John Smith, principal solution architect, Veracode