Innovation changes the playing field and forces mindsets to change perspectives. The question is when do you understand the change, its impact and how to adjust future plans? Early innovation often shows up in start-up vendors or as a feature within existing solution silos after a year or more on a product roadmap. The problem with big data and machine learning analytics is that they do not fit into one solution silo, even within the realm of security.
This is evident when reviewing analyst reports for behavior analytics and the subsets of user and entity behavior analytics (UEBA), identity analytics (IdA) and cloud security analytics (CSA). The vertical solution silos identified by analyst acronyms keep things clean and organized at the expense of recognizing the full impact of the innovation.
How do machine learning models share analytics between vendor A for your SIEM (security information and event management), vendor B for your CASB (cloud access security broker) and vendor C for IAM (identity access management)? A use case in point is privileged access abuse requiring vendors A, B and C to interoperate within a hybrid environment. Forrester notes that there are more than 50 vendors in its SUBA (security user behavior analytics) report, demonstrating the breadth of the innovation and the solution silos affected. Gartner, meanwhile, considers behavior analytics as a mainstay of UEBA and lightly ties with IAM and CASB via machine learning.
The reality is that big data is a horizontal plane where its volume and variety provide the context for machine learning models to deliver useful analytics. This brings up the concept of ‘data democracy’ enabled by vendor solutions with APIs to access the data, not restrict its use to a single siloed solution, which results in holding the customer hostage for any analytic value. SaaS applications also need a standard API with a reasonable SLA, and the Cloud Security Alliance is likely the best driver for it. CSO and CISOs should inventory key data sources for machine learning analytics and validate vendor solutions for access to it, including bidirectional APIs to enable automated risk response.
Diving into behavior analytics, another horizontal plane to recognize is identity. Analyzing the access and activity of a user for their accounts and entitlements is ground zero for predictive risk scoring. Activity alone fails to provide enough context and visibility. The gap with access must be closed to evaluate risk. CROs understand this issue and now demand risk scoring down to the entitlement level, while also understanding the benefit of uncovering hidden privileged access through IdA and thus what activity to analyze for access abuse. What good is an IAM solution that locks up access rights data required for analysis with activity data by machine learning models? The CIO and CISO gap lies between identity access management and security teams analyzing activity in separate silos with sometimes conflicting mandates.
The vertical solution silo approach for big data and analytics is too often dysfunctional as the most effective solution involves maintaining a horizontal plane perspective. Early adopters have figured out the migration to big data lakes in order to store data for long-term value at the lowest cost. To maximize that advantage, analytics should then run on top of customer-selected big data lakes to avoid reading and storing the data more than once. Vendors A, B and C provide data inputs while receiving analytic responses with risks scores working on a horizontal plane. A customer choice for a solution silo should not restrict the machine learning analytics available, nor should data be held hostage within closed solutions. In the past few years, more than 90% of all data in existence has been generated. We are entering a new environment of rapidly expanding digital exhaust, where behavior can determine identity, access risks, unknown threats, and integrity through machine learning models, but only if security leaders maintain a horizontal and holistic perspective.