Why Classification Fails in Security Data Analytics

When we started building the Resolution Intelligence Cloud in 2018, one of the first major investments we made was in something that would never appear in a product demo: a comprehensive IT taxonomy covering every asset type, event type, and entity type relevant to enterprise security environments.

We spent years on this work. We brought in security practitioners with deep enterprise experience to validate the classifications. We tested it against customer environments that reliably produced edge cases we hadn't anticipated. We built a classification library that was genuinely valuable.

And then we realized it wasn't enough.

The Limits of Taxonomy

Taxonomy answers the question: what is this? It gives every asset and entity its proper place in a structured hierarchy. This is a production server. This is a privileged service account. This is a SaaS application. This is a contractor identity. The classification is precise and consistent, and it enables every downstream analytical process that needs to know what type of thing it is dealing with.

But taxonomy does not answer a different and equally important question: what does this mean in relation to everything else?

This is the question that ontology answers. An ontology is a formal representation of the relationships between classified entities - not just what things are, but how they connect, what they depend on, what they enable, and what their compromise or failure means for everything connected to them.

The difference in operational capability is absolute.

Meaning vs. Noise

With taxonomy alone, a security event tells you that a privileged service account performed an unusual authentication.

Traditional classification falls short here because in isolation, security data analytics merely flags this as a flat, disconnected data point. It may be significant or it may be routine. Without relationship context, you cannot tell. You are left guessing.

With ontology, the same event tells you that this specific privileged service account has access to twelve production systems, is used by a third-party managed service provider with remote access to your environment, has not previously authenticated outside business hours, and its access path leads directly to your financial data warehouse.

Now the anomaly has immediate structural meaning and threat context. The same event is potentially a significant early signal of a supply chain intrusion.

The ontology is what transforms the security data environment from a collection of classified objects into a model of the living system, a semantic map of how the enterprise's digital tone actually works, what its dependencies are, and where the significant exposures live.

The Hard Work of Relationships

At Netenrich, we built both engines. The security taxonomy engine classifies and organizes every entity at ingestion. The security ontology engine builds and continuously updates the semantic relationship model - connecting entities, mapping access relationships, tracking dependency chains, and flagging structural anomalies that the taxonomy alone could never surface.

Building the ontology engine was harder than building the taxonomy. Relationships are dynamic in ways that classifications are not. Access relationships change when roles change and projects end. System dependencies shift as applications are updated. The ontology has to be a living structure, continuously reconciled against what the environment actually shows, not a static document written at a point in time.

The investment is foundational. Every behavioral model, every graph traversal, every LLM-assisted investigation that draws on relationship context depends on the ontology being accurate and current. Get this right and every analytical capability built on top of it benefits. Get it wrong and everything downstream inherits the flaw.

Classification tells you what you have. Ontology tells you what it means. You need both.

*Part of my ongoing series on data science and the future of security operations.*

 
About the Author