Why would someone create a false choice between analytics or encryption? Well an editor at Dark Reading might decide it’s worthy of clickbait headlines. Thus, we see the following headline yesterday: “As Good as They’re Getting, Analytics Don’t Inherently Protect Data.” This comes courtesy of Scott Petry, CEO of Authentic8.
The crux of Mr. Petry’s thesis is that analytics solutions can only detect breaches but they cannot secure data that has already been stolen. True enough. But wouldn’t you want to detect breaches before data is exfiltrated? He does concede that, “analytics is not an either-or-choice with encryption … Both have their place.” However, I am a bit perplexed by his suggestion that some people are claiming enterprises should, “shift away from data security systems like encryption and move to analytics.” That would definitely be a minority opinion if it exists at all.
Are These Technologies Really in Conflict?
The editors square the circle by having a counterpoint article from FICO’s Doug Clare titled, “Encryption Has Its Place But It Isn’t Foolproof.” His rejoinder to Mr. Petry is illuminating at several points including the statement that, “Arguing against encryption would be a bit like arguing against locks on doors … But encryption alone is not enough, and may induce a false sense of security among those who depend on it.”
Mr. Clare goes on to describe encryption as a basic defense much like a wall would be in the physical world. It blocks access to something you wish to protect. By contrast, information security analytics has an advanced capability providing situational awareness that can inform actions and decision making. He suggests, “analytics are to encryption what intelligence services are to military defenses. The increasing number, variety, speed, and severity of cyber attacks necessitate a dynamic cyber intelligence posture.”
What Information Security Analytics Is and Is Not
Probably the most provocative statement by Mr. Petry is that, “analytics is just a fancy word for monitoring.” Now his background at Postini and work at Authentic8 suggests he is a serious guy and his statements should be thoughtfully considered. Is analytics as positioned by cybersecurity vendors just monitoring? I hate to say it, but most of time this statement would probably be correct. There is no end of marketing departments that have added the word analytics to cybersecurity software products that are really just throwing off indiscriminate alerts.
This may also be bred from perspective. Mr. Petry spent some time at Google after the Postini acquisition. Would he suggest that Google Search is simply monitoring? When you apply a static algorithm against a changing data set, is that monitoring with a filter or is there actual analysis going on there? If the algorithm could change dynamically based on the data stream as in machine learning, would that go beyond monitoring in his definition? What if pattern matching and correlation are involved? These are good questions, because the term analytics is overused to the point where it may have lost its meaning.
Analytics solutions should have analysis capabilities. Some of these analyses may be automated and run continuously, but there should also be the option for ad hoc queries. Humans sometimes have questions and ideas that machines will never originate. In fact, this is a common experience. That means information security analytics solutions should not be rigid. They must be flexible and enable both unique one-time analyses as well as repetitive ongoing analyses. Some of the analytics in the latter category may well fit the monitoring description, but the ad hoc investigations will not. This is a good cautionary point for end users. When a vendor claims to have analytics, caveat emptor; find out the true scope of the capability.
Making Analysts More Effective and Productive is the Point
Another suggestion by Mr. Petry is that analytics tools have a failing in that they require humans to operate and maintain them. I understand the desire to automate, but true analytics tools are designed to augment and facilitate the work of analysts making them more effective and productive. It is about exposing contextual information and assisting with human decision making as opposed to making decisions on behalf of humans.
Busting Analytics Myths and Getting to Answers
Aside from some oversimplifications, I enjoyed both Mr. Petry’s and Mr. Clare’s articles. And, the Dark Reading editors will be proud that their publishing ploy and catchy titles enticed me to read them. The fact is that both authors suggest that analytics and encryption have value. I couldn’t agree more. In fact, I will take this a step further. Enterprises need to increase their use of both analytics and encryption. Analytics will enable them to identify attacks faster, prevent others and reduce the negative impact of breaches. Encryption may reduce the damage done when breaches are successful.
I suggest people consider the concepts extolled by Jim Collins – the author of the landmark books on business strategy Good to Great and Built to Last – to avoid “the tyranny of the OR,” but instead “adopt the genius of the AND.” When considering your information security posture, this is good advice. Avoid false dilemmas.
If you would like to learn more about real information security analytics that can help identify breaches faster by integrating internal and external data into a single view and exposing correlations that previously went undetected, you can request a demo by clicking below.
By Scott Raspa