Moving Toward an Analytics-Driven Security Operations Model

This blog post is an excerpt from our recent pocket guide, Analytics-Driven Security in Government: Breaking Down What You Need to Know. To read the whole report, download it for free here.

The reality today is that adopting an analytics-driven approach to security does not require a massive investment and forklift “re-do” – rather, it can be as straightforward as rethinking the overall approach and aligning to trends in how security operations are evolving across the industry.

To understand how and why this is important in government, GovLoop sat down with Jae Lee, Product Marketing Director, Security Markets, Splunk, and John Stoner, Security Strategist for Splunk Public Sector.

Stoner said that today’s government faces challenges unlike any era before. “Everything around cybersecurity is more complex today – there’s bigger threat surfaces and more complicated attacks,” he said. “And there are more mandates and cyber- hygiene requirements to keep up with, too.”

Additionally, many legacy security technologies and approaches by themselves are only telling one piece of the story with the rate and sophistication of modern-day threats. Government IT professionals can still fall prey to old-fashioned approaches and a mentality of “set it and forget it,” which doesn’t take a proactive approach to discovering cyberthreats.

Finally, IT departments are often beset with a variety of tools that they’re overwhelmed. “The main obstacle government is often facing is not that they don’t have the right tools,” Lee said. “It’s that they can’t get context and insight from all those different tools quickly enough and all in one place to perform an efficient investigation.”

This is a primary reason why adopting an analytics- driven security approach can help improve security, cyber hygiene and compliance. Threat detection, monitoring, incident investigation and response and forensic analysis can all be greatly accelerated and enhanced as a result.

“An analytics-driven approach to security enables better prioritization, handling, and response of the most critical threats, faster resolution of threats, regardless of the size of the security team, and longer-term, the ability for that team to grow, adapt, and standardize the operational aspects of handling and remediating security incidents,” Lee said.

Today’s security operations are evolving to be ever more proactive and nimble. A traditional SOC is more “tiered,” meaning there are traditional escalation paths and very specific capabilities per each tier, and most tasks are handled via a specific set of procedural guidelines that encompass a combination of different monitoring, investigative, and other tools.

The current trend in security operations is moving toward a combination of virtual, managed services, multi-tiered approaches, and more lightweight teams or “crews” who respond to an incident in a more agile manner.

In order to accomplish this level of agility, security architectures – including the “landfill” of multi- vendor security architectures – must somehow work together. The multi-layered defense consists of many layers of tools and products that are not designed to leaving gaps in how security teams bridge multiple domains.

A modern and evolving security operations model must take an analytics-driven approach to cybersecurity if it hopes to keep pace with the evolving threat landscape. For security operations, advanced analytics is the foundation that enables capabilities such as threat and vulnerability management, incident prioritization, advanced threat detection, and threat hunting and investigating.

“With an analytics-driven approach you can build a stronger security posture and improve cross- department collaboration,” Stoner said.

Another key advantage can come in the form of implementing an adaptive approach to security. An adaptive security architecture can enhance the ability to prevent, detect, respond and even predict threats – at machine speeds. By proactively gathering additional insights, including enrichment from threat intelligence feeds, and by being able to automate actions, security teams can more effectively minimize risk, quickly detect and respond to internal and external attacks, simplify threat management, and gain continuous organization-wide visibility.

That’s where Splunk comes in. They help security teams navigate unchartered waters and quickly identify, investigate, respond and adapt to threats in dynamic, digital environments. Splunk security solutions provide valuable context and visual insights to help security teams make faster and smarter security decisions. Security teams in government agencies use Splunk software to help protect their most critical assets; improve security posture and reduce false positives; anticipate the unknown within the rapidly changing threat landscape.

By bringing multiple IT areas together, Splunk software enables collaboration and efficient implementation of security best practices – including how security teams interact with data and automate actions to address modern cyber threat challenges. With Splunk as the “security nerve center,” teams can optimize people, process and technology. Security teams can leverage statistical, visual, behavioral and exploratory analytics to drive insights, decisions and actions.


Leave a Comment

Leave a comment

Leave a Reply