Dont get marooned on Analytic Islands

  • Thursday, 26 Jan 2017 12:00PM EST (26 Jan 2017 17:00 UTC)
  • Speaker: Mark Watkinson

5 years ago the constant drip, drip, drip of breaches hitting the news was evidence of preventive signature based defenses were not working and a move to fast recovery was needed. New approaches were needed, signature-less detection focused on detecting behaviors. But behavioral analytics has significant challenges, particularly the need for more data and the need to control false positives, this meant data from endpoints, network devices and applications. Few companies in Cyber Security have the capabilities to cover all these bases, most are focusing on endpoint, or network or applications or cloud. They are developing analytics to find threats within the data captured by their sensors. With the industry buzzing about analytics, the drive for the vendor community to be able to crow about detection analytics and integrate these into and create platforms has led to a compounding of an old security problem ' The detection silo or Analytic Islands Detection is best served where analytics can use the widest possible data sources, so multiple analytic platforms are counter-productive. Creating analytic islands, on vendor platforms aligned to types of data will not serve to optimize detection. So how Security Leaders invest? ' Invest in tools that allow data to be easily moved in and out of their native platforms giving the organization the choice of how best to use it, ' Invest in tools that allow data to be flexibly retrieved cross infrastructure from Endpoint to cloud ' Invest in centralized analytic/detection/forensic response capability to support Security operations, and allow better use of human resources ' Invest in the best detection not in platform siloes but across platform, see the whole campaign and give Incident response the best chance BAE Systems does not build sensors, we build analytics. We work with sensor vendors to use the best of their detection, and ensure we still have access to the full data set so that when we see a new threat we can choose the best way to detect it from all the data.