Security Analytics Will Get Focused in 2017

These seven product shifts will elevate security in the coming year


What a difference a year makes for those of us engaged in advanced threat detection in the world of security analytics. Up until two years ago, security analytics was a market searching for a definition, with no common name, no common feature set, and no clearly understood need. That’s no longer the case, because the market has spoken:

“We don’t have the staff to analyze 10,000 alerts per day.”
“SIEMS were not built to handle everything we’re throwing at it.”
“I want to add more data for better threat visibility.”
“I must investigate incidents across months of data, and my SIEM cannot hold it all.”

Anyone in big data security analytics hears these appeals every day. The market for security analytics has evolved, because enterprises constantly create more sensitive data (classified information, intellectual property, trade secrets, PII, and PHI), which is constantly under attack, and which creates more and more metadata about the location, access, use and protection of the sensitive data. This vast sea of metadata is where the indicators of compromise that define attacks can be found. It is where SIEMs have failed and where big data security analytics offers huge value.

The upshot is that we have arrived at some common purchase criteria. As Gartner Analyst Toby Bussa writes in his latest Market Guide for User and Entity Behavior Analytics, “Favor vendors that profile multiple entities, including users and their peer groups and devices, and those who use machine learning to detect anomalies. These features enable more detection of malicious or abusive users who might otherwise go unnoticed.”

The reality today is that of the 15-plus vendors that claim to provide a true security-analytics solution, only a handful, Interset included, have created platforms that meet Gartner’s recommendation and offer the scalability to actually work in an operations deployment.

If this is where we are today, how will security analytics evolve in 2017?

Here are a few technology shifts we can expect during the next 12-18 months:
1) Security analytics will cover an even broader set of threats—specifically different types of fraud and money laundering threats and threats against critical infrastructure. In late 2017, we will also see the emergence of threat detection for IOT-related threats.
2) Vendors in security analytics that rely on rules-based detection will be eliminated as viable players due to deployment complexity, with machine learning and statistically-based capabilities becoming a core feature.
3) Vendors that are truly providing an effective security analytics solution will showcase increasingly sophisticated analytical methods, not just anomaly detection, to solve cybersecurity problems.
4) Data sources for security analytics have been primarily from existing SIEM products. But in 2017, that will shift to enterprise applications like ERM, PLM, and SCM, as security teams learn that data from these systems offers greater threat visibility.
5) Leading security-analytic products will deliver new dashboards that take a more risk-based view of threats and deliver value beyond security to lines of business and the executive teams.
6) Integration between security analytics, incident response, and security orchestration tools will become the norm as security operations centers look to streamline operations.
7) By the end of 2017, a battle will develop between SIEM and security analytics vendors as capabilities overlap, and each vies to be the center of the security-operations process.

Finally, if history repeats, by 2018, this battle will explode into aggressive acquisitions and at least one of the top SIEM players will leave the market.