Understanding Process Variants in Security Process Mining

In security process mining, we trace the path of processes through what are known as "variants." These variants represent the unique events within a process. Just as individuals often take the same path repeatedly, common variants are frequently repeated in processes, while uncommon variants are akin to rarely taken routes.

Before we explore the role variants play in security processes, let’s first establish a few core definitions regarding variants in process mining.

What Are Process Variants?

Process mining tools correlate timestamps and identifiers for each process occurrence to create a process map. This is collectively known as a process "variant."

For example, consider the ideal flow for vulnerability management, where all steps must be followed precisely and sequentially. This ideal flow is often referred to as the "desired variant." That is defined as a process flow that is expected or desired to be followed consistently.

Desired variants typically are:

• Consistent
• Efficient
• Contain minimal steps
• Easily repeatable
• Free of bottlenecks

Following a “desired variant” can help organizations maintain quality and accuracy, and ensure efficient and reliable processes.

Navigating Paradoxes: Tools, Errors, and Unresolved Outcomes

In reality, processes evolve, introducing the opportunity for unplanned variants to enter established processes. Some of these variants bring undesired outcomes, such as unresolved vulnerabilities. Surprisingly, even error-free tool usage might not guarantee the consistent achievement of desired outcomes.

Here’s one example: A systems’ scanning tools uncover vulnerabilities, tickets are correctly created and assigned, and the development platform registers all code pushes.

So why do the vulnerabilities persist? Perhaps the fixes are being built, but deployments of them are failing or are awaiting approval from a business unit. This happens even in well-defined processes.

Consistency Challenges: Man v Machine and Tolerance

Human errors, system preferences, and biases of both man and machine can compromise consistency, providing a breeding ground for vulnerabilities and variants. This is why tolerance exists within security operations.

“Tolerance,” as it pertains to variants, defines the acceptable range of deviations from the ideal process path. Imagine if every slight deviation triggered an alert - your SecOps team would spend their entire day chasing phantom problems. By establishing tolerances, alert overload is prevented while still safeguarding operations.

Variants exceeding established tolerance can often lead to unexpected delays, and sometimes even complete failure to meet objectives. Without visibility into the processes involved, it becomes impossible to measure system conformance, understand the reasons for inconsistent outcomes, and prevent them from happening again.

Stop Chasing Alerts, Start Reducing Costs

When your teams are free to stop chasing alert noise, they have more time to prioritize new security goals. Applying process mining to real-world security processes creates better insights. By quickly identifying variations in defined processes, unexpected delays and downtime in critical applications is prevented. The mined data gives teams the information they need to fix mistakes, and optimize system components for maximum efficiency.

More Free Resources

While many enterprises subscribe to the idea that more tools equates to more security, it’s the processes tying them together which have the most sway on positive security outcomes.

Aqsa Taylor, Director of Product Management at Gutsy, recently hosted a discussion about easier ways for organizations to achieve their desired outcomes with the tools and teams they already have in place. You can watch it on demand at this link.