Security Data Analytics and Reporting: Overview
Organizations spend millions of dollars every year to ensure they are well protected. And of course, Information Technology Security teams play a key role in this. And yet, IT often struggles to prove their worth. In this“Security Data Analytics and Reporting (SDAR)” series, we will explore business relevance, monitoring and reporting domains, use cases and reporting metrics. Additionally, I will provide some literature on the tool selection, business cases and many more as part of the paid Toolkit.
Proving Cybersecurity investments works
Proving that the security measures taken by your organization’s security team are effective is not that straightforward. When organizations don’t encounter many cybersecurity incidents, it can be challenging for them to determine whether it is because they have an effective operational/security control or that they are simply not a lucrative target for cybercrimes. When an organization finds itself in this situation, it often finds itself making decisions that are based on security standards they are already familiar with, or past experience of the security lead, instead of selecting solutions based on the organization's requirement.
Such misguided strategies can address some security concerns, but do not solve the problem of proving the effectiveness of security programs and/or the tools. When security teams measure the wrong things, they cannot produce meaningful reporting to the business. This is where use cases that work on correlated information to monitoring and reporting become valuable.
Monitoring & reporting
Many organizations do monitor information systems from a security perspective and even produce some management reports. However, these reports are often created in silos, are very technical (lack business importance), rely on metrics which are not relevant to the enterprise decision makers and, most of the time, these reports are produced manually. When it comes to security monitoring and reporting, events or information must be correlated. Analysts must consider aspects outside their silos before presenting their reports to consumers (such as internal and external stakeholders).
Effective reporting provides holistic visibility, addresses the concerns of the stakeholders and provides actionable insight. Such monitoring and reporting must be automated and carried out daily.
Figure 01: Overview of different stakeholder(s) and their interests. The picture is for illustrative purposes only.
Analyzing logs, business information, network packets and system configurations, are an essential part of building reliable security monitoring and reporting. When thinking about logs and correlated monitoring, SIEM comes to mind naturally. However, SIEM itself is a collection of specialized use cases which can help organizations discover a potential compromise. Gaining additional visibility into security posture goes beyond the scope of SIEM.
Security Data Analytics and Reporting (SDAR)
This is where SDAR comes to the rescue by automating use cases or metrics to provide near-real time reporting, depending on the viewer’s role and allowing the user to drill down to the data source for further investigations. However, it is useless unless the use cases are discovered, found valuable to spend time automating them for monitoring and reporting.
Figure 02: An example of SDAR workflow
The above diagram illustrates a SDAR workflow at a very high level: (1) information from various information systems informs (2) the use cases pertaining to monitoring and reporting. (3) The use cases are then analyzed by a Big Data solution to (4) monitor and report on (5) audit compliance, standards compliance, and performance measurement. (6) The board of directors, business stakeholders, IT & IS stakeholders and Analysts use the reports generated in this process to (7) provide assurance to the internal & external stakeholders.
Closure
Proving the worth of investments into IT Security (including Cybersecurity) can be challenging. The central piece of providing such evidence lies in processing various information system logs and events, using tailored use cases and providing stakeholders with the correct information to make decisions.
In the upcoming articles, we will further explore Security Data Analytics and Reporting, and you will learn how to respond to give stakeholders the reports they’re looking for, and ultimately prove their security investments work.
Watch out for a new post every week. Want to be notified every time there’s a new post? Use our subscription servies at the publications page to subscribe.