AIX > Administrator > Security

Why Our Security Analytics Are Failing

Security Analytics

Our security posture has not increased—and by most measures, decreased—over the last five years. Four years ago you couldn’t walk 10 feet at the RSA security conference without seeing “Big Data” plastered on the venue displays. Two years ago it was machine learning that would be our savior. Just apply machine learning to big data and the answers will reveal themselves. A walk down security lane this year advocates deep learning. Since machine learning did not work, lets apply a technology most people do not understand to be the next technical leap in security analytics. Data lakes are also a trending item. Are security data lakes going to change our posture? Is it a wonder that we are on a downward trend with security?

Let me try explaining how we change our security posture in a positive direction. Lets consider the following equation.

value  (quality/latency)

Lets explain the variables. Quality is the data we collect today: flows, logs, end point sensors. Latency is the real-time availability of the data. Event logs, traffic flows and sensors all produce near real-time data. Quantity is the amount of this type of data we collect. Anyone can look at the formula and derive that a large amount of high quality data in near real-time drive value. Is that what has been transpiring over the past five years?

The opposite is more the truth. Our security division along with the industry has been collecting a large amount of data. The problem is that it has been the same data without any change to quality (new data) or latency. Think of Qradar storing all log and flow events for years. The value of the data has actually decreased. It’s more of the same data with 99.99 percent of the data being older than 48 hours. IBM’s event model has not changed in ten years. The industry is suffering from the same trend.

More bad data is not the answer and actually decreasing our security posture!

What is even more disturbing is the focus on new analytics that use the same old data. Adding additional applications like “user behavior analytics” and “insider threat” and “cognitive advisors” will NOT reverse the trend. It’s like handing over a cold murder case to another detective and expecting a different result. In fact, the definition of insanity is doing the same thing over and over expecting different results, yet that is what we are doing.

The Case for Better Data

Our offering management team needs to focus on better data to increase our security analytics. I will make four points to support my case. It’s the security technology that has the best data that always wins. Always.

1) EDR is the only technology that has a generational leap in the last five years and one of the most heavily funded research initiatives. It’s not because they added new types of analytics; they all use rules, cloud aggregation of data, and machine learning. EDR created a new sensor that collected endpoint data otherwise blind to security analytics, for example, hijacked processes, registry changes, writing to a non-temp file system, privilege escalation, in-memory scans of processes, etc. They created a new ballgame by collecting better data. It was the data that creating the technology, not the analytics. Placing the data in a cloud repository (big data) made crowdsourcing possible. They elevated the quality by adding sensors, collection in real-time, and amassing the data in the cloud.

2) Watson cognitive initiatives are more focused around purchasing data than the cognitive analytics. The Watson group has purchased over 3 billion dollars worth of technology that collect real-time data from IoT devices and the medical industry. It’s the data that will drive their success, not the analytics.

3) DNS Identity kinetics is 100 percent about collecting new data. More global data and visibility in real-time significantly elevates the quality. A cloud-based repository of high quality real-time “data first” analytics that will increase our security posture. Identity kinetics is not limited to DNS and can be juxtaposed with email identity, social media identity, etc. It’s a data first initiative.

What The Weather Channel is to IoT, PHC is to Identity kinetics.

4) The QNI initiative is the beginning of another “data first” initiative with higher quality real-time data stored in Ariel. We are layering Identity Kinetics on top of the data. Without QNI, DNS IK would not exist. Additional analytics will be layered on top of QNI including ICMP exfiltration and infection analytics. QNI produces data for Qradar and analytics that has been otherwise invisible.

Unfortunately, offering management has aligned QNI with IPS and having just recently retired our IPS system, begin prioritizing functionality that turn it into an IPS system. That’s a very bad approach.

Initiatives that Would Significantly Elevate our Security Posture

There’s a movement to increase our abilities to detect insider threat and user behavior analytics. In my humble opinion, it is more of “I need to check this box for Gartner and competitive fodder” than it is to create a truly competitive and compelling application. The focus is on the app and the outcome when it should be around collecting better data than our competition. For example, if somebody funded me to create the world’s best insider threat application, I would first focus on the data that provides me with a competitive advantage.

Examples would be:

  1. Integrating with card access security systems. Let’s start watching anomalies with time and facility access.
  2. Integrating with video systems that detect motion over a time series.
  3. Integrating video systems with time around identity access. It was a successful login, but who logged in.
  4. Enabling keyboard and mouse biometrics on all endpoints so we can see who is typing as opposed to what is being typed.
  5. Geo-location of endpoint devices and anomalies associated with geo-location. Is the person inside the facility or outside? Does outside mean the parking lot or third-world country?
  6. Start taking a screen shot of highly suspected insider threats and the activity.

There has not been one company that has been successful at insider threat. It’s because they have failed to collect the data required for insider threat.

Let’s assume we want to increase our end user behavior analytics.

Examples would be:

  1. Modifying the “Detect” data collection mechanism to feed sensor events to the EUBA app (I think this is in the works).
  2. Creating a cloud repository where we store biometric keyboard and mouse signatures that enable lateral movement of people. Does our competition have mouse and keyboard biometrics? NO!

Let’s assume we want to create a usable cognitive advisor that provides a competitive edge. Cognitive advisement is NOT about Watson (as Watson is not about Watson!). Watson does not fill the gap between usability and advantage.

If we want to increase our or cognitive advisement, get better threat intel than our competition.


Adding more analytics on the same old data decreases our value and dilutes our engineering efforts. I would like to see an emphasis on data acquisition that provides a competitive advantage. Once we have the data, the analytics fall in place. I would encourage offering management to focus on acquisitions and relationships with companies that provide us better data than our competition. I would like each group providing new analytics to focus on data differentiators and I would like to see an emphasis on data competitiveness for our offering management. I would like to see an emphasis on data integration within our products. Security starts with data and ends with analytics, but I feel we have reversed it.

Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.

comments powered by Disqus



2017 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

A Bankable Solution

AIX Cryptographic Services improves security while simplifying administration

AIX Security Tools You Can Use

A look at new AIX security capabilities.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
AIX News Sign Up Today! Past News Letters