The industry asks... Why no security analytics market?
So, occasionally I get this call from somebody (vendor, end-user, investor, etc) inquiring about “the size of the security analytics market.”
They are usually shocked at our answer: since there is no such market, there is no size to report.
If you recall, we [as well as myself] don’t really believe there is such a market at this time and find any discussion of its size “premature” (at least).
Let’s explore this in detail – and hopefully save some of my time for loftier pursuits.
In essence, if you are in the market for a car, you are very unlikely to buy a toilet bowl or a jet plane instead. Everybody knows what is a car, what it does, how it functions [well, at some level] and how much it costs.
Sure, there is a difference between a Kia and a Maserati, but such variances are easily understood by the customers.
While market definition in general is hard, industrial organization (IO) economics have made a lot of practical advances towards that goal (for example, some use “the smallest area within which it is possible to be a viable competitor”).
Close to home in our infosec (“cyber security”?) realm, if you need DLP, you go and buy DLP. If you need a WAF, you go get that. Even with SIEM, there is relative clarity in terms of features, benefits and prices.
Do we see ANYTHING of this sort when “security analytics” is mentioned?
No, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no! :-)
There is no common feature set, no critical/core capabilities, no jointly understood need, no buyer-seller agreement on anything, no clear competitive dynamics ….
As we say in our paper “defining “security analytics” at this point simply involves looking up the words in the dictionary. There is no “security analytics market” or dedicated and purchasable “security analytics tools”; security analytics is a concept that an organization can practice, but can’t buy.
Many different tools — from network intrusion prevention system (NIPS) to DLP and SIEM — use various algorithms to analyze data, thus performing analytics.
Thus, if security-relevant data is subjected to analytic algorithms, security analytics is being practiced.”
Along the same line, one enterprise I spoke with defined it as “ability to analyze lot of security data over long periods of time, find threats and create models” [not too specific – but hitting a few interesting things such as long term analysis, threat discovery, models, etc]
In fact, I can give you a handy analytical tool to create your very own “security analytics” vendor – right here, right now! FREE!!
Here is how it works – pick one or more from each item 1.-4. below:
1. Pick a problem to solve (sadly, some vendors have skipped this step altogether; others chose really hard, fuzzy problems like insider threat or “advanced” threat)
2. Collect some data (some logs, network flows, session metadata, full packets, threat intelligence, process execution records, whatever – the more, the merrier!)
3. Analyse it in some way (ideally not by using rules, but any algorithm will suffice – think various types of ML [supervised or unsupervised], clustering, deep anything, forensics something, text mining, etc]
4. Present the results in some way (ideally visualise, but – if you are adventurous – also act automatically, reconfigure, etc)
That’s it! In your mind, you are now a player in a burgeoning [in your mind] “security analytics market”…
BTW, if you want to hear me ramble about it even more, check out this podcast [MP3]