Monthly Archives: March 2017

When seconds count: How Security Analytics Improves Cybersecurity Defenses

Larry Ponemon

When Seconds Count: How Security Analytics Improves Cybersecurity Defenses sponsored by SAS Institute was conducted to evaluate organizations’ experiences with security analytics solutions. Specifically, how have these solutions impacted organizations’ security postures? Where have security analytics initiatives succeeded or encountered roadblocks?  

Ponemon Institute surveyed 621 IT and IT security practitioners who are familiar and involved with security analytics in their organizations.  Eighty-seven percent of these respondents have personally been using the security analytics solution in their organizations and, 80 percent of these organizations have solutions that are fully implemented.

Although many respondents cite deployment challenges, they still believe security analytics has been effective. They report a major improvement in reducing the number of false positives in the analysis of anomalous traffic. Before implementation, 80 percent of respondents say it was very difficult to reduce false positives. After implementation, only one-third of respondents say reducing the number of false positives is very difficult.

Key findings

In this section of the report, we provide an analysis of the findings. The complete audited research results are presented in the Appendix of this report. We have organized the report according to the following topics.

  • Organizations’ security analytics experiences
  • Results of organizations’ security analytics initiatives
  • The future of security analytics: the integrated security intelligence platform
  • Tips for successful security analytics initiatives

Organizations’ security analytics experiences

Most organizations adopt security analytics after an attack. As shown in Figure 2, 68 percent of respondents say the main driver to implement a security analytics solution was a cyber attack or successful intrusion and 53 percent of respondents say their organization was concerned about becoming a victim of a cyber attack or successful intrusion. Only 33 percent of respondents say their organizations are proactive and regularly update their cyber defenses with new technologies.


Organizations use a variety of security analytics solutions, but in-house developed tools are most popular. According to Figure 3, 50 percent of respondents use in-house developed tools used with data lake, followed by 47 percent of respondents who use a Security Information and Event Management (SIEM) solution. Thirty-nine percent of respondents say their solution is delivered and managed by a third party.

Security analytics solutions are mostly deployed both on premise and in the cloud (40 percent of respondents). Thirty-three percent of respondents say the solution is deployed on premise and 23 percent of respondents say it is deployed in the cloud.


Most respondents say the initial deployment of security analytics was challenging. Fifty-six percent of respondents say it was very difficult (26 percent) or difficult (30 percent) to deploy security analytics.

According to Figure 4, 67 percent of respondents who feel the deployment was difficult cite extensive configuration and/or tuning before it was usable. Fifty-one percent of respondents felt there was too much data to deal with and 45 percent of respondents say they had issues getting access to the required data.

Data is a critical component of security analytics initiatives. According to Figure 5, 65 percent of respondents say data challenges are a barrier to success followed by lack of in-house expertise (58 percent of respondents) and insufficient technologies (50 percent of respondents).

Only 40 percent say insufficient resources is a challenge. The findings reveal the average cybersecurity budget is $12.5 million and an average of 22 percent of this budget is earmarked for big data analytics.

The quality of data collected and used for security analytics is the biggest data challenge. As shown in Figure 6, 66 percent of respondents say data quality is an issue followed closely by the ability to integrate data (65 percent of respondents) and data volume (55 percent of respondents). Only two percent of respondents say they have no data challenges.

Most organizations are looking to security analytics to learn what is happening in their networks now. Each one of the objectives listed in Figure 7 is considered important. Seventy-two percent of respondents say it is important or essential to be able to detect security events in progress followed by the ability to determine the root cause of past security events or forensics (69 percent of respondents).

Also important are to: provide advance warning about potential internal threats and attackers (65 percent of respondents), provide advance warning about potential external threats and attackers (62 percent of respondents), prioritize alerts, security threats and vulnerabilities (62 percent of respondents) and analyze logs and/or events (61 percent of respondents).

To read the rest of this research, visit the SAS website.

Howard Schmidt, America's digital guardian angel, served as cyberczar to two Presidents — a memorial

Howard Schmidt

Bob Sullivan

Howard Schmidt had an incredible American life.  He was cyberczar to two presidents – a Republican and a Democrat.  Before that, he ran security at Microsoft, and later practically rescued eBay when it was turning into a cesspool of fraud.  He was a soldier (Air Force, then the Army Reserves), a cop (in Arizona), a genius, and a gentleman. He was one of the first law enforcement officers in America to understand how computers could be used to catch criminals.  He won a Bronze Star in Vietnam. He was an in-demand speaker everywhere on the planet.  I saw him dazzle crowds everywhere from Seattle to Romania.

But I knew him as the guy who always wanted to help. Everyone, all the time.

He died today, “in the presence of his wife and four sons…a loving husband, father and grandfather peacefully passed away following a long battle with cancer,” according to a statement posted on his Facebook page.

I first met Howard Schmidt in the late 1990s when he was the big-deal keynote speaker at a computer conference I had attended as a cub reporter.  I was a nobody. But good fortune had us both stranded in an airport when our flights were canceled, both trying to get back to Seattle. I worked up the courage to talk to him in the waiting area about our options for getting home.  When we ended up on the same flight, and he discovered I wasn’t traveling in first class, he stopped me at the gate.


“No colleague of mine sits in the back while I sit up front,” he said, a kindness so genuine I never forgot the tone of voice he used.  He upgraded me to first class so we could sit together.  During the next three hours, I enjoyed a graduate-school class in cyber-security as I picked his brain about everything.

Howard was a natural giver.

The most important thing to know about Howard is that the job of White House cyberczar is awful.  All the responsibility, none of the power.  Herding cats. Pick your cliché.  Making America’s computers secure is the job of private industry. They own all the hardware; they write all the software; they hire all the best people.  All a government official can do is “coordinate.”  Cajole. Beg and plead.  It sounds like a glamorous job. In fact, the pay stinks, compared to what someone like Howard could earn in the tech world. And it’s kind of humiliating to go around begging companies to share what they know about hackers.

But it had to be done. Howard was always doing what had to be done.

Along the way, he always took my calls.  He would message me from half-way around the world, and apologize if it took him 10 hours to get back to me.  Sometimes, he even dragged me along, as in the case of a banking security conference in Bucharest where Howard and I both spoke. A few years later, I ended up getting a plum invitation to speak in Malta at a similar conference. Howard never admitted it, but I’m virtually sure he set me up for the gig because it was one of the few times he had to turn something down.

Whenever we spoke, I would get tired just hearing about Howard’s grueling travel schedule. When he finally started to slow down, he spent his last years traveling, of course…this time via motorcycle. Sometimes to see America’s beauty, but mostly to see his grandchildren.

“Ride my bikes as much as possible in Milwaukee…our second home (grandkids),’ he messaged me once.

Howard was always interested in what I was doing, and cheered me on as I had some success writing books. So it was natural that the day he retired from the White House, we chatted about doing a book together.

“I get approached all the time about doing one,” he said.

“Let’s chat some time and see if there isn’t a good fit? Before the months disappear,” I pleaded.  It was one of those conversations we never finished, one of those dream projects that you never get to.

I didn’t know Howard was sick until recently.  I reached out to him when President Donald Trump *almost* signed an executive order on cybersecurity. If anyone could make sense of it, he could.  I messaged him on Facebook.

“Hi Bob, This is Howard’s wife,” the response came. “Howard is fighting a brain tumor and apologizes for not being able to help.”

I was stunned.  But also, not stunned. I could picture Howard lying there, as ill as a human being can be, apologizing because he couldn’t help.  Perhaps the words he used suggested he meant “help you with your story.” But I know what he really meant:  he felt badly he couldn’t help the country.

I said I would pray for him and asked if there was anything I could do. Then, true to form, he tried once more.

“Howard said he will call in a little while” his wife wrote to me.

He never did call; I figured he’d had a bad day and I didn’t want to be a pest.  I’m so sad it was my last chance.  Let me tell you: I am much more sorry that Howard was unable to help us this one last time. Heaven knows we need it.

I’ll console myself with the thought that Heaven’s networks are much more secure now, and the Devil is no longer spreading viruses up there.

Like all women and men who work in the protection field — computer security people, health department inspectors, fire marshals — Howard spent a lifetime toiling tirelessly and invisibly, saving people from dangers they never knew existed.  Countless crushing hacker attacks didn’t happen because of Howard’s work.  He was America’s digital guardian angel for many decades. In fact, his work lives on, and you will continue to enjoy the protections from policies that Howard created and pushed for years, if not decades.

Now, he’s a real Guardian Angel. I suspect we’ve yet to see his best work.