Cisco Subnet An independent Cisco community View more

Enterprise Organizations Are Taking Steps to Improve Cybersecurity Analytics

Data collection, analysis tools, and hiring staff top the list of actions

Last week, online retail giant eBay announced that it was hacked between February and March of this year with stolen login credentials of an eBay employee.  This gave the hackers access to the user records of 145 million users including home addresses, email addresses, dates of birth, and encrypted passwords.  It appears that the hackers made copies of this data so eBay is advising all users to change their passwords.

The eBay hack is just the latest in a perpetual series of bad cybersecurity news.  What's worse here is that eBay is no slouch when it comes to information security best practices.  So it's especially alarming when a firm like eBay is compromised - if eBay can suffer a data breach, anyone can suffer a data breach.

If there is a silver lining here it is that other large organizations realize that they have to do more to protect themselves from cybercrime.  For example, many enterprises are taking a harder look at their incident prevention controls and exploring ways to block threats and/or reduce the attack surface across their networks.  Aside from these traditional defenses however, firms are also investing a lot of time, money, and human resources on security analytics.  Why?  Most CISOs realize that legacy SIEM and log management tools are no match for today's social engineering attacks and sophisticated malware payloads. 

In a recent ESG research survey, enterprise security professionals (i.e. those working at organizations with more than 1,000 employees) were asked to identify security analytics activities they are using.  The data indicates that:

-41% are collecting additional network data for analysis.  This means they are doing full packet-capture or capturing/processing Meta data associated with network traffic.

-40% are purchasing/implementing new security analytics tools.  It's likely that these tools are helping them analyze the network data described above.  Good news for security vendors like Blue Coat (Solera), Click Security, Netskope, and RSA Security.  IBM and LogRhythm also introduced network forensic tools recently that integrate with their SIEM platforms for better analytics across network packets and log files.  Lancope has also been extremely busy expanding its footprint within large customer networks.  This data certainly offers a rationale for this activity. 

-30% are hiring security analysts.  Well, at least they are trying to hire security analysts.  It's worth the effort but CISOs should assume that finding and hiring these folks will be extremely difficult and plan accordingly.

-28% are collecting endpoint forensic data to supplement security analytics.  This makes sense as it aligns network analytics with actual information about endpoint behavior in order to answer specific cybersecurity questions.  Were registry settings changed?  Were files downloaded?  Did the endpoint reach out to any unknown or anomalous IP addresses?  The fact that 28% of organizations are doing this explains why Bit9 merged with Carbon Black, why FireEye bought Mandiant, and why Cisco/Sourcefire FireAMP is getting traction in the market.

-28% are implementing more probes and/or data collectors around the network.  Security data collection is no longer limited to the perimeter, it is now done at major peering points throughout the internal network as well.  This will likely increase as enterprises implement SDN.  This means more data to collect, process, and store so CISOs must continue down this road with eyes wide open. 

When you see this data, it's easy to understand why the security analytics market is growing as vendors like 21CT, Cybereason, Cyphort, ISC8, Leidos, Narus and Vectra Networks jump in to the pool.  Cisco is approaching this market with a managed service while Dell SecureWorks, Symantec, and Verizon work with customers to add security analytics to managed services contracts. 

While I've been writing about this market for a while, it is still extremely early.  Stay tuned, lots more ahead!

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.