Forensic analytics not security silver bullet

Forensic analytics cannot completely eradicate security issues but can help companies better understand their security risks, which is key to a comprehensive security strategy.
Written by Jamie Yap, Contributor

The volatile nature of security attacks does not mean forensic analytics are ineffective since studying past incidents can help companies better understand risks and be prepared in any kind of breach.

Forensic analytics generally entail looking back at past incidents to determine what went wrong, the damage incurred, and who was responsible for the attack. However, such findings may not always be useful in creating a robust and adaptable security strategy, since perpetrators change attack methods very quickly these days, noted Martin Kuppinger, principal analyst and founder at KuppingerCole, which researches information security.

Yet, this volatility of security threats does not make forensic analytics irrelevant, he said. "Security attacks are unpredictable in that you will never know which specific type of attack will hit your organization. But they are predictable in the sense that you can identify the potential attack targets, such as which information and systems are likely to be attacked or what value is there for the attackers," Kuppinger explained.

As such, it is about understanding all the potential risks, at all levels, and this enables companies to know the areas on which to focus their security initiatives, he said.

Companies may find they need forensic analytics to know what, and why, previous attacks happened. Without this knowledge, they cannot change or improve their understanding of potential risks and be able to come up with better security measures, he added.

As such, forensic analytics should be part of a broader set of approaches adopted to increase security, Kuppinger said.

"You have to think of it as a pyramid, with the organization, guidelines, processes, risk management, controls, and so on, at the top, a management layer in between, and technical enforcement at the bottom," he said.

As one of the components which make up the base layer of technical enforcement, forensic analytics help identify weaknesses and enable better protection, but cannot sufficiently resolve security issues by itself, he added.

Andrew Kellett, principal analyst for security at Ovum, similarly noted that no security technology--forensic analytics being no exception--can grant full protection against malware, theft or fraud. Depending on the circumstances, one type of security tool may have a bigger role to play in helping to achieve better protection and preparation.

Kellet also underscored the role of forensic analytics in the overall security strategy. "The nature of the beast is its unpredictability, but that does not stop security experts from putting in place solutions that forensically examine fraudulent activity." He noted, however, that success rates are difficult to quantify. "It's also difficult to get end-user organizations to talk openly about [the] success [of] using [forensic] security products."

Companies may also not have the budget to invest in forensic analytics, the Ovum analyst added.

The analysts' comments come after a ZDNet Asia report citing the chief security technology officer of BT, Bruce Schneier, who said anticipating cyberthreats to fend off attacks will not enhance a company's security posture. The more a company tries to pin down online attacks through predictions, the more cybercriminals are motivated to adapt and create new strategies to attack, he noted.

Analytics necessary for data growth
With the growth of data volume and variety, Kuppinger said big data and analytics will indubitably play a vital role in the security space over the next few years.

Kellet added the security market is moving toward the use of such tools to reduce time lags between breach identification and remediation.

So this means forensic analytics may not specifically be at the fore, there will indubitably be enterprise focus on analyzing large volumes of data to achieve the required security objectives, he concluded.

Editorial standards