You’re collecting activity monitoring data. Are you making the most of it?
As security systems in general, and database monitoring tools specifically, mature and become more sophisticated, we would expect that security analysis and reporting would grow ever more sophisticated and dynamic to match them. Unfortunately, this hasn’t been the case with many otherwise savvy IT organizations.
In many instances, the analysis and reporting functions have become rigid, incomplete, and routine while taking more time away from valuable analysts. This has caused many organizations to develop incomplete views of their database-monitoring environments. IT security reporting protocols are not always providing the best view of security data and are likely creating blind spots and needless analyst work.
We’re collecting data, but not using it to its fullest. We’re getting too many unrelated facts and we’re not creating real intelligence.
In my experience, it happens like this: Security teams focus on specific security policies that they invent from their best reasoning of what use-cases to monitor for. These policies become measurement points in the monitoring system and the policy-related data is narrowly collected according to these predefined use-cases. Each use-case then results in a report. For example, if there are 13 use-cases, 13 reports are generated at whatever time interval seems appropriate. These reports are typically not related to each other and provide little insight into security issues that are not explicitly searched for. In some cases, certain security issues aren’t even imagined, meaning that neither the people nor the reports are looking for them. Rinse and repeat. Forever. The reporting protocol limits its usefulness and may even age poorly as the environment evolves.
A new approach is needed. Instead of only creating routine reports based on policy, a bigger and more inclusive data set is needed that gathers information across more vectors and more time. It needs to include data we haven’t thought of tracking yet. Then, we can use analytic tool sets and our data science capabilities to perform more exploratory analysis on the data. This means connecting data in new ways so that new areas of risk, new correlations/causations, and (previously unseen) event interactions can be discovered. We’ll not only discover the “known unknowns,” but also the “unknown unknowns”. This flexibility becomes even more important as more platforms are monitored, each with different auditing capabilities and granularities.
This is also an opportunity to employ more sophisticated analysis techniques and technology. We can apply AI, machine learning, and automation to evolve and mature our analysis capacity and scope.
If done correctly, this new approach to database-monitoring analysis can provide many advantages:
- More inclusive datasets let us see and compare more facts and insights about our security environment.
- Exploratory analysis enables analysts to identify new risks and correlations.
- The new approach provides more flexibility and intelligence from the collected security data.
- We can prioritize data analyst resources and time based on more valuable activities than processing reports.
- New unexpected use cases can be identified and incorporated into the reporting protocol.
- Policy can be more guided by facts and less by intuition.
It’s likely that your existing activity monitoring solution has many of these analytic capabilities. A truly expansive security analytics program may involve additional data stores and analysis tools, but we believe it is worth the investment.
The first step is to take a critical look at your current data reporting processes. Are they simply one-to-one views of monitoring rules? Do they relate to each other? Do they help discover new unexpected risks? Be tough in your assessment. Following that, smart IT organizations should adopt a broader analytics program for security through a broader security analytics strategy.
As we all know, security risks aren’t just IT headaches, they are fundamental to the performance and safety of a business. If your limited reporting misses critical indicators of security breaches, it’s not just the database that gets hurt. Loss of revenue, disruption of business, loss of customers, and countless other negative impacts can occur. We must get our insights right to ensure that we can do our jobs right.