The other approach is to baseline enterprise activity. There are tons of security-rich data within traffic logs and netflows; there are application and database logs; there are transaction data; there are authentication and logon data. Baseline these data, Rothman advises. "Then constantly look for anomalous situations that deviate from that baseline." But it's not just about raw data collection, of course. "The issue is not how much data you are getting, or how you look at them in new ways, but how effective is the information you get and how can you act on it? Pretty visualizations and pie-charts don't protect your systems; good actionable information does," says Honan.
Most of the experts interviewed suggest that enterprises also continue to expand the systems and types of data monitored. "If you are only using events from a certain type of device, start adding more events. If you are not using full back-capture, then start doing that. If you are not pulling end-point level telemetry, then that would be another area to start thinking about," says Rothman. "What you want to do is start building out a broader collection environment. This will give you the ability to start looking for patterns based upon a more inclusive and broader data set," he says.
Regardless of the level of enterprise maturity with security analytics efforts now, security technologies will have analytics capabilities built in soon. Gartner predicts that by 2020, 40 percent of enterprises will have built a purpose-built security data warehouse. "By storing and analyzing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of "normal" can be established and data analytics can be used to identify when meaningful deviations from normal have occurred, the research firm predicted earlier this year.
That type of data analytics integration with security platforms would certainly be welcome. Perhaps that pervasive availability of security analytical tools will help solve what Citi's Swick says is one of the biggest challenges security pros have when it comes to having too much data with too little actionable insight. "Many CISOs are implementing SIEMs because that's what they're supposed to do. They don't understand enough about what it is that they are undertaking," says Swick.
Improved analytics toolsets could certainly help security teams to not only understand more about the data they collect -- and the risks that events actually pose to the business -- but also what to do about pressing threats and attacks much more swiftly than they do today. That most certainly would be a big and welcome step forward.
Sign up for CIO Asia eNewsletters.