IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING The Rise of Data-Driven Security Report Summary An ENTERPRISE MANAGEMENT ASSOCIATES ® (EMA™) Research Report Written by Scott Crawford, EMA Managing Research Director May 2012 Sponsored by:
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING
The Rise of Data-Driven SecurityReport SummaryAn ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) Research Report Written by Scott Crawford, EMA Managing Research Director
May 2012
Sponsored by:
©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
The Rise of Data-Driven Security: Report Summary
Page 1
Information security has long been hamstrung by obstacles unknown to many other aspects of the enterprise. Businesses may be able to measure sales performance or better understand competitive factors and customer preferences through data mining or other analytic techniques. Security, however, often wrestles with the unknown and struggles with a daunting array of exposures and threats. In a survey of 200 technology and business professionals who participate in information security efforts among organizations of 1,000 personnel or more worldwide, Enterprise Management Associates (EMA) found that:
•The majority (52%) say they are no more than “somewhat” confident they could detect an important security issue before it has an impact. Twelve percent are neither confident nor doubtful, while 7% report greater doubt than confidence.
• “Too difficult to distinguish legitimate from malicious activity” is the most frequently mentioned frustration with security practices (33% of all respondents).
•Twenty-eight percent of respondents are about as unsuccessful as they are successful at correlating security data to business impact. Four percent are more unsuccessful than successful.
• Fifty-seven percent of respondents must devote unplanned work to security incident response above and beyond normal investigative activities more than twice a month. One-third (33%) must do so at least weekly; 12% do so every day.
How can security do better? There is one thing that would help immensely in answering that question: data. Accurate and timely information that illustrates how and where attacks as well as defenses succeed, highlights where they fail, and clarifies where response can best be improved. Security technologies that employ this data directly in defense. Management strategies better informed by data-driven insight.
These capabilities are more within reach than ever before. The data explosion is just as real in security as elsewhere – and EMA survey data suggests that organizations are doing more than seeing the opportunity. They are engaging fully in the rise of a data-driven approach to security defense and management.
The need is great:
• Fifty-eight percent of respondents knowledgeable about security log and event data management in their organization indicated that they collect 50 gigabytes or more each day. When measured in number of logged events (assuming an average size of 300 bytes for each), this equates to more than 166 million events daily.
• Fifteen percent of this group collects an average of a terabyte of data or more each day. Considering that all respondents represent organizations of 1,000 employees or more – 28% of whom represent enterprises of 20,000 or greater – these figures may not be as astronomical as they may sound.
At the same time, organizations see the potential today’s approaches offer for turning this avalanche into an asset:
• Seventy-three percent of respondents would collect more security-related data, or a wider variety of data, if they could make use of it.
• Thirty-eight percent are currently expanding their investment in better security data management and analytic technologies. Another 40% plan to expand this investment in the next one to three years.
Seventy-three percent of respondents would collect more security-related data, or a wider variety of data, if they could make use of it.
©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
The Rise of Data-Driven Security: Report Summary
Page 2
•Thirty-two percent are currently expanding their investment in the expertise of their personnel in security data management and analytics. Another 44 percent plan to expand this investment in the next one to three years.
•Organizations of all sizes and capabilities may benefit from the investment that vendors of security technologies and services are making in data-driven security. The largest number of respondents (48%) expect security technology vendors to lead the way in expanding data-driven security more than any other entity (including enterprises and government organizations) in the next one to three years. Forty-six percent expect this leadership from providers of professional and managed security services.
Where Data-Driven Security is UnfoldingEMA sees the rise of data-driven security emerging in three primary domains:
•Data-driven tactics which differ from legacy security technologies in part by their focus on a more continuous, dynamic dependence on data sources and data analysis.
•Data-driven platforms for security management and strategy guidance that may be expected to expand techniques for yielding more effective insight from large amounts of many different kinds of data.
•Data sources to serve these interests, which can be expected to grow in their variety, as well as in the variety of ways they are made available as offerings in their own right.
Security tactics are turning to data to improve the effectiveness of defense. Security technologies are deployed in thousands of organizations and on millions of systems. This gives their vendors unique insight into factors such as widely accepted software, attack prevalence, and malicious behavior. Anomalies can be spotted much more quickly against this background, enabling data-driven tactics to identify outbreaks, speed defense and limit impact. Security vendors are embracing large-scale data management platforms and advanced analytics to support these initiatives.
Security management, meanwhile, can benefit from expanded capabilities for handling large data sets, which unlocks new possibilities for finding artifacts that may otherwise be overlooked. Responsive data management platforms and flexible analytics enable investigators to pursue a wider variety of “what if?” scenarios and branch into new directions as analysis progresses. Strategists see the potential of mining a wide variety of data to identify issues such as heightened exposures, aspects of the enterprise at highest risk, trends such as fraud, and where chains of causality can be most efficiently broken.
Powering InsightWhat are the emerging techniques security vendors and enterprises alike are turning to in order to make the most of the opportunity? While the extent of adoption was not explored and merits further study (Are these lab or proof-of-concept deployments, or are they in production? Are they exclusive to security or shared?), the answers were surprising regardless – and data management as well as security vendors may take note:
• Seventy-nine percent of those collecting security log or event data use Security Information and Event Management (SIEM) technologies.
• In addition, 50% of all respondents report that they are already employing enterprise data warehouses to at least some extent in support of security efforts.
©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
The Rise of Data-Driven Security: Report Summary
Page 3
• Forty-nine percent of those whose primary role is in information security are using analytical databases.
•Twenty-six percent of all respondents report the use of NoSQL and Hadoop environments. Another 28% plan to evaluate these environments for security data management.
Among the analytic tools in use among all respondents:
• Fifty-five percent report the use of Business Intelligence (BI) tools in some way to support security efforts.
• Forty-three percent indicate they use analytic platforms such as the open source R.
•Thirty-eight percent report using some form of risk analysis or modeling.
•Thirty percent use machine learning and data mining tools such as Apache Mahout.
Given this variety of techniques and the scale of interest, it may not be surprising that 37% of all respondents report that they currently use service providers specifically for security data management capabilities such as Managed SIEM and security intelligence services, while another 30% plan to evaluate service providers for this purpose.
Looking AheadWith the interest in the trend high and growing, data-driven security is poised to expand even farther:
•Major security vendors are offering services that harness “Big Data,” NoSQL and massively parallel architectures to improve effectiveness and provide intelligence. New offerings are arising to offer Big Data security analytics as a service, harnessing the power of these platforms for rapid and flexible analysis across large or diverse bodies of data.
•How is the relevant expertise in security and data analysis evolving? Interviews with practitioners where data-driven efforts are becoming well established indicate that it is often a cooperative effort. Many organizations currently embrace a working model where security subject matter experts work with data analysts experienced in quantitative methods, data mining, data visualization, or related fields. 72% of all respondents currently embrace this model to at least some extent, with 34% indicating that their security experts and data analysts work together on a regular basis.
•One of the challenges of data-driven security is the dilemma of data sharing. Organizations see the opportunity represented by data such as data breach investigations, but have concerns about exposing sensitive information to risk. Among the initiatives pioneering a balanced approach are the Financial Services Information Sharing and Analysis Center (FS-ISAC) and data fusion centers in government and law enforcement.
• Sharing is just one aspect of responsible security data management. Businesses should recognize that their data collection and management practices may lead to the custody of data that requires just as much care (if not more) than any other managed by the organization. As they embrace more data-driven efforts, organizations should be recognizing these realities now.
In interviews with practitioners pursuing these initiatives; reviews of articles, books and documents that describe emerging data-driven approaches; and a survey of 200 involved professionals worldwide, EMA sees that the rise of data-driven security is more than a trend. It is becoming a mainstream factor among many enterprises. Many more organizations, regardless of size or capability, stand to benefit as data-driven security exerts a transformational influence over security technologies, services and practices emerging today, and evolving tomorrow.
About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook.
This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.
©2012 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.
Corporate Headquarters: 5777 Central Avenue, Suite 105 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com2475_Summary.061212
Related Documents
