3 Things the Kentucky Derby Teaches Us about Security Analytics
What can handicapping and betting on horse racing teach infosec pros about security analytics?
By Rob Sadowski, RSA
Fast data analysis can stymie attacks and strengthen enterprise security, but mastering security analytics is a tall task for many organizations. There's a lot to be learned from the gambling land of Las Vegas -- and what better time to explore this concept as the best betting race in the U.S draws near: this weekend's Kentucky Derby.
People have been betting on horse races since horses have been running. The 2012 Kentucky Derby was the biggest betting year in the history of the race, with people wagering a total of $133.1 million. Sure, betting on the outcome can be profitable, but only if you can beat the odds.
It might seem counterintuitive, yet handicapping and betting on horse racing require many of the same tactics and techniques security pros must use when doing security analytics. You need to have the right data and be able to turn it into actionable insight, you need to be able to connect a plethora of seemingly disparate data sources to make a conclusion, and you need to be able to do this quickly to win.
Here are three things the Kentucky Derby teaches us about security data and analytics:
Collect the Right Data
Whether you're a security pro detecting abnormal network activity or a horse racing handicapper picking the winner, both scenarios first require the collection of as much of the right data as possible to get a complete picture of what's happening and what might happen.
Key to this effort is incorporating all relevant data sources. For security teams, this means gathering network traffic, endpoint data, cloud and identity data and other information from logs, and marrying that with contextual information such as threat intelligence, asset criticality measures and vulnerability data.
Let's use the Kentucky Derby as a comparison point. Odds makers and players alike tap a wide swath of data. From blood line and pedigree, to history of race wins, training regimens, jockey strategies and track conditions; all of these data sources factor into the prediction for those betting on the race and are used by odds makers to determine how to appropriately set the odds.
In the IT security world, we've got some catching up to do. According to RSA's recent Threat Detection Survey , organizations are lagging when it comes to pulling data that matters most from modern IT infrastructures, with only 27 percent collecting data from cloud-based infrastructure, 49 percent collecting network packets, 55 percent collecting identity data, and 59 percent culling data from endpoints.
Apply Smart Security Analytics
Once you've collected from a diverse set of data sources to build a solid foundation, now, it all comes down to figuring out who's going to win the race. This is where analytics comes in. If you're an odds maker, you have to come up with your own analytics to figure out how to glean meaningful insights from all the data you've collected.
In much the same way, enterprises are using security analytics to improve their understanding of, and defense against, the latest threats. According to Forrester, "For years, security information and event management/security information management (SIEM) solutions have been the primary tool that security and risk professionals have relied on to aggregate information from their enterprise to help identify abnormal behavior that could be evidence of an intrusion. Yet SIEM hasn't kept pace with the security needs of modern enterprises."
As security analytics overtake simple SIEM output for the lead as detection capability of choice, security teams, more and more, are leveraging multiple types of analytics to observe activity and actions from the data and get answers to a series of questions:
- What's actually happening?
- Is something abnormal happening?
- Am I seeing anomalies?
- Is this exactly what I expected or not?
- Is there suspicious activity?
Security analytics translate into actionable intelligence to identify potential threats, prioritize remediation of vulnerabilities and architectural adjustments, and identify and understand attacks already in progress.
Context and Speed Matter
A lot of times, horse racing handicappers rely only on one factor. Say, for example, it's raining on the day of the Kentucky Derby; a handicapper will pick the horse that has a good history of running on muddy tracks. But chances are, if you only rely on that one factor and don't consider anything else, you'll be missing the mark.
We see the same scenario play out in threat detection where organizations rely on only one type of data. For instance, they rely on infrastructure logs from SIEM alone. You cannot rely on one variable as it leads to blind spots and a weak foundation for detection.
Or, they rely on only one type of analytics, and miss opportunities to spot where an adversary's abnormal behavior may be more visible. Instead, look at multiple sources of data, and use multi-dimensional analytics to find the anomalies, pivot across data sources to add context and arrive at an accurate picture.
Still, speed is an issue. Only eight percent of organizations feel they can detect threats very quickly. Meanwhile, these same organizations know they constantly need to adapt in order to stay in front of attackers and the latest threats, and security analytics need to happen in as near real-time as possible. Without the ability to correlate and move across different data sources and harness that insight as quickly as possible, security teams find themselves behind.
Back to the weather analogy. If Kentucky Derby odds are set based on a rainy day prediction, but the forecast changes to call for sun, this would require the odds maker to rethink the assumptions about which horses will predictably run well.
The security industry, too, needs to rethink its approach. Over the past few years, stopping cybercriminals has become much more difficult. Attackers continue to advance and use sophisticated and highly targeted techniques to infiltrate organizations.
As the focus shifts from prevention to detection and response, there are a number of ways to strengthen data analysis as an effective detection mechanism, namely, by improving data collection methods, applying multi-dimensional analytics, and providing data in better context, at a high rate of speed. In essence, mastering security analytics means doing it Vegas odds maker-style.
As director, Technology Solutions, RSA, the Security Division of EMC, Rob Sadowski works to promote the adoption of RSA's core technology with customers and partners, and drives RSA's technology thought leadership initiatives. He represents RSA in multiple industry organizations, including the PCI Security Standards Council, where he sits on the Board of Advisors. An EMC employee for over 12 years, he came to RSA as part of the team that drove the creation of EMC's Security division and the acquisition of RSA. He is a frequent contributor to RSA's "Speaking of Security" blog and provides commentary on security issues to media outlets including CNN, USA Today, the Financial Times, NPR, Fox Business and CNBC.