Press Release

STAMFORD, Conn., April 16, 2015 View All Press Releases

Gartner Says Security Analytics May Be Key in Breach Detection

Analysts to Discuss Emerging Security Trends and Technologies at Upcoming Gartner Security and Risk Management Summits

Although security spending is at an all-time high, security breaches at major organizations are also at an all-time high, according to Gartner, Inc. The impact of advanced attacks has reached boardroom-level attention, and this heightened attention to security has freed up funds for many organizations to better their odds against such attacks.

"Breach detection is top of mind for security buyers and the field of security technologies claiming to find breaches or detect advanced attacks is at an all-time noise level," said Eric Ahlm, research director at Gartner. "Security analytics platforms endeavor to bring situational awareness to security events by gathering and analyzing a broader set of data, such that the events that pose the greatest harm to an organization are found and prioritized with greater accuracy."

When it comes to gathering masses of security data that can be analyzed to bring greater meaning to security events, security information and event management (SIEM) technologies are topping the list of likely solutions. While most SIEM products have the ability to collect, store and analyze security data, the meaning that can be pulled from a data store (such as the security data found in a SIEM) depends on how the data is reviewed. How well a SIEM product can perform automated analytics — compared with user queries and rules — has become an area of differentiation among SIEM providers.

User behavior analytics (UBA) is another example of security analytics that is already gaining buyer attention. UBA allows user activity to be analyzed, much in the same way a fraud detection system would monitor a user's credit cards for theft. UBA systems are effective at detecting meaningful security events, such as a compromised user account and rogue insiders. Although many UBA systems can analyze more data than just user profiles, such as devices and geo-locations, there is still an opportunity to enhance the analytics to include even more data points that can increase the accuracy of detecting a breach.

"Today, there are certainly commercially viable applications of analytics to better position security technologies, such as with SIEM and UBA providers," said Mr. Ahlm. "However, the applications or other problems that can be addressed for other security markets are still emerging and on the whole, the security industry is rather immature in the application of analytics."

As security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis. Today, information about hosts, networks, users and external actors is the most common data brought into an analysis. However, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.

Analytics systems, on average, tend to do better analyzing lean, or metadata-like, data stores that allow them to quickly, in almost real-time speed, produce interesting findings. The challenge to this approach is that major security events, such as breaches, don't happen all at once. There may be an early indicator, followed hours later by a minor event, which in turn is followed days or months later by a data leakage event. When these three things are looked at as a single incident that just happens to span, say, three months, the overall priority of this incident made up of lesser events is now much higher, which is why "look backs" are a key concept for analytics systems.

"Ultimately, how actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time," said Mr. Ahlm. "Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualization of that data will greatly affect adoption of the technology."

Additional information is provided in the Gartner report "Market Trends: Security Analytics — A New Hope for Security, or Just Hype?" The report is available on Gartner's website at

Additional details on business disruption attacks will be discussed at the Gartner Security & Risk Management Summits taking place June 8-11 in National Harbor, Maryland; July 13 - 15 in Tokyo; August 10-11 in Sao Paulo; August 24-25 in Sydney, Australia, and September 14-15 in London, U.K.

Members of the media can register for press passes to the Summits by contacting (U.S.), (Sao Paulo), (Sydney) and (London).

Information from the Gartner Security & Risk Management Summits 2015 will be shared on Twitter at using #GartnerSEC.

About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. The company delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the valuable partner to clients in approximately 10,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 8,300 associates, including more than 1,800 research analysts and consultants, and clients in more than 90 countries. For more information, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.