I often referred to these solutions as based on a bottom-up approach, i.e. starting from the collection of data, correlations and subsequent deductions of alarms, trends and analysis of organisation’s risk exposure.
In other posts I compared and contrasted this approach against the top-down approach provided by Security analytics (in particular in the IAM space – “HP Labs Identity Analytics – What is this all about?”), where models and simulations are used to provide strategic decision support. These models need to be grounded by using empirical data.
I actually believe that these two approaches can be combined to get greater benefits:
- A key part of Security Analytics activities, is to identify the most relevant parameters, measures and metrics relevant to assess risks, provide suitable decision support and what-if analysis. Now, this information can be used to drive the configuration of SIEM solutions, by recommending which measures and metrics to focus on and their impact in enabling risk assessment and deductions;
- SIEM solutions can collect, aggregate and process large amounts of data. This capability can be used to provide up-to-date empirical data to fuel Security Analytics models;
- Finally, Security Analytics can be used to provide strategic decision support in the area of event and incident management, situational awareness compliance. By modelling and simulating processes related to the collection and manipulation of data, correlation of information, deduction, incident and change management, it is possible to explore the presence of potential weaknesses, faults and check for the appropriateness of the allocated resources. This would help to inform security policies and investments
Related to the third point, Security Analytics can enable the exploration of questions such as: “Are the current SIEM investments and related processes appropriate?”; “Am I focusing on the collection of the relevant data? Are my processes adequate to detect and handle specific threats?”; “What are the consequences of changing some of the processes/investing more in specific solutions and resources?”
I indeed believe that an interesting R&D area to work on is exploring how to leverage and combine these two approaches.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: use this mirror blog if you prefer posting on an external blog site ---
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment