These tools are making it possible to do trend analysis over months worth of data.
That kind of historical analysis is opening a new front in analytics for CSOs, says John Pescatore, director of emerging security trends at SANS Institute. Pescatore says CISOs have long used security information and event management (SIEM) tools to collect data. It's been good for creating reports, but weak for looking backwards in time and doing something predictive.
"You want to be able to say, 'conditions have just changed and we better take action or we are likely to be penetrated," Pescatore says.
Pfeil says there are more subtle concerns. He says it is also important to find tools that can find anomalies in traffic that looks benign. "I think most companies are compromised and they don't know it," Pfeil says. So traffic that goes to a legitimate company's compromised Web site could then be redirected to an illegitimate source, what Pfeil called a watering hole attack. Normal analytics tools can't find that, so he's started using Bromium, which lets him do attack visualization analysis.
It takes unique skills to do analytics well. Data scientists, business subject specialists and programmers may need to work together to create effective analytics. That means most analytics work gets done at what Oltsik calls the tip of the enterprise pyramid, "the biggest of the big companies." Even there, it can be hard to get budget for preventive applications, says Pfeil.
Pescatore says one tack for CISOs is to find security vendors with large, active online communities. That can give free, practical advice on how to work through the complicated process of analytics. Pescatore had positive things to say about companies and products like Tenable, Splunk. EiQ Networks and IBM's Q1 Labs' QRadar.
Third parties are popular when it comes to security analytics. In the ESG survey, 55 percent of companies said they rely heavily or somewhat heavily on third parties to help with their analytics.
Security vendors in general are trying to beef up their analytics. Trustwave, which does PCI compliance, in June launched SIEM Enterprise in response to the increasing kinds of data coming from mobile platforms and other new devices. Steve Kelley, Trustwave's vice president of marketing and product management, said Trustwave thinks it's become important for it to offer its own analytics, rather than expecting its customers to run analytics in general business intelligence tools.
Oltsik says analytics is complicated, but CISOs can take some small steps to get into it.
He recommends first looking at the data they already collect, what they're already doing analytics on, and then make a list of what they think they should be doing analytics on.
Sign up for CIO Asia eNewsletters.