Enterprises have been on the receiving end of a lot of confusing and sometimes contradicting messages about security analytics. A year or so ago, the buzz term was “big data” and consequently every vendor announced a solution in the information management space, which only confused the market as to what was important and what was just hype.
In a paper ESG Research released last year, they represent the big data security solutions landscape as a spectrum that ranges from real-time analytics to asymmetric analytics. Both have value:
Real-time big data security analytics solutions are evolutionary iterations of existing SIEM, log management, network flow analysis, and IP packet capture tools, although they distinguish themselves from legacy SIEM platforms by their scalability, analytics intelligence, and performance characteristics. Asymmetric big data security analytics solutions provide high-performance platforms for the analysis of massive volumes of structured and unstructured data. They are designed with the assumption that analysts may have no idea what they are looking for, where to start, or how to proceed.
In short, asymmetric security analytics tools don’t actually eliminate the need for a Security Incident and Event Management (SIEM) system. SIEMs do an incredible job in coordinating a massive range of disparate information and events into a single interface that can give security teams a picture of what they are facing right now. The major concern is that there is so much big data from the SIEM that it is often (if not always) not possible to go through it all to fully understand everything that has happened during an incident or provide extent and impact, especially if the attacker changes tactics and moves laterally during the attack.
No one wants to spend a considerable amount in a particular area and then find that they missed a large piece of the puzzle, and that they are still not completely covered. Companies that are holding back on adopting asymmetric security analytics either still don’t fully understand the problem that it can solve, or have already made a bet on adjacent, real-time technology (e.g. SIEM) and are still trying to realize the return on the previous spend.
In our view, the key thing for organizations to consider with respect to their security analytics infrastructure is whether they are trying to understand their data statistically, looking for averages, trends and metrics to establish baselines; or do they want to work in real-time and understand what is happening and has happened during past events to better plan for the future? Our suggestion: you should do both.
The post Advanced Threat Detection: Not so SIEMple appeared first on Arbor Insights - Our People, Products and Perspective.