Today, cybersecurity, risk, and data protection are issues that are on upper management’s radar. Seeking to minimize the potential for business disruption, board members are getting more involved with the organization’s security program. Recent surveys indicate that 65% of companies are recruiting board members who are knowledgeable about security issues.
As a result, IT teams must prepare for management discussions that summarize the organization’s readiness to address security concerns across a vast, cloud-enabled landscape of users, applications, data, and threats. These discussions must do more than deliver a quarterly review of KPI’s, because they want to measure performance, map strategies to execution, and assess if things are going in the right direction. And if the numbers are not good, they need to know what they can do to make it better.
Unfortunately, these insights are often hard to obtain, because many security teams are dealing with reporting tools that produce some, but not all, of the information necessary to confidently engage in such comprehensive conversations. It always seems like there are knowledge gaps, often because the information is not available or not easily attainable. And the time spent every week producing reports and manipulating large volumes of data in spreadsheets is taking time away from the core mission of protecting the organization.
Understanding the role of analytics and reporting
Why is it so difficult to coax these answers? There are reporting tools in virtually every security product that an organization owns. But reporting is not the answer to every question, and the reasons why are not always apparent. Reporting is designed to answer very specific questions, and SecOps are increasingly being asked for dashboards that require analytics. Understanding where analytics can help is the first step towards building better, more effective communication with the management team.
The objective of reporting is to summarize the content of large data sets, which is useful when you need to get an understanding of what’s going on at a given point of time. The question is already known beforehand (such as “Top 10 DLP events”), so the process to generate the report is predefined and hardcoded. It also means that the data set to be analyzed is known in advance, the query against that data is predefined (counting the number of DLP violations), the variables that can be used to customize the query are predefined (a reporting tool might allow a range of dates, but not the flexibility to specify a range of weeks), and the format of the results are fixed (such as how the results can be displayed, filtered, or sorted).
Therefore, reporting satisfies requests for common, frequently repeated questions.These reports might be quite useful for people in a given role, such as what SecOps needs to monitor what’s happening right now. The unspoken challenge is that security teams are called upon to answer a lot of questions that lie beyond the realm of what can be predefined, such as analyzing why something is happening, is it getting worse, and why does it matter. Thus, an information gap emerges once the analysis requires an adjustment to the question, which drives changes to the query or manipulation and transformation of the data to pursue underlying causes.
Because the hardcoded components of reporting cannot be adjusted, security teams have had to rely on forklifting their dataset for import into other tools, such as the aforementioned spreadsheets or working with a business intelligence team. Neither of these approaches are as straightforward as it seems, since it requires rebuilding the dataset in a new location, and normalizing the data so it can be used by general purpose analytics tools. It would be far faster and easier if the security team could explore and analyze their own data sets with purpose built tools.
The case for Advanced Analytics
What if the security team had their own native analytics capabilities? That way they could work on their own data where it lives, without having to resort to the time consuming process of analyzing it externally. With analytics, SecOps have a framework to adjust the underlying (and otherwise immutable) query behind a report, thus opening up the ability to answer questions that have yet to be asked. The query, the data set, and the representation of the data can be changed, enabling the SecOps team to explore and contort data to find the deeper underlying truths that management wants to see.
Our customers using the Netskope Security Cloud have important capabilities for analyzing cloud and web activity using Cloud XD, which generates more than 500+ categories of metadata. Using Netskope Advanced Analytics, the SecOps team can tap directly into this rich data set to get answers on cloud risk, threat prevention, and data protection. The findings can be easily represented in a dashboard with visualizations that management understands, providing the common ground for better lines of communication. Advanced Analytics helps SecOps conduct further investigation into the data as well, with the ability to slice and dice the data to reveal the underlying reasons behind what’s happening.
These capabilities are just a fraction of what Advanced Analytics can do for you. I encourage you to learn more about Netskope Advanced Analytics by visiting: https://www.netskope.com/products/advanced-analytics.