Generally speaking IT security has revolved around known threats; somebody somewhere identifies a potential security problem, and CISOs scramble to make sure their respective networks are protected against it.
Nowadays, this approach just doesn’t work. The number of devices has increased exponentially; the volume, velocity, and variety of data have increased dramatically; and security managers find themselves needing to dig deeper into the network to protect mission-critical information from advanced targeted attacks.
This explains why a number of companies are embracing the chance to manage and analyze the big data these solutions collect. For many firms, analytics helps assess patterns and gain insights into the security events they are logging, tracking and recording by default. By delving into these data, companies are strengthening their security.
While there are no specific industry statistics that quantify this trend, Gartner’s Magic Quadrant report from May 2012 indicates that the market for Security Information Event Management (SIEM) technology—systems that automate a certain number of mission-critical analytics—is growing by about 15 percent annually.
“People behind the threats of today aren’t running around using hacker tools and leaving traces that are easily found,” said Richard Bejtlich, chief security officer (CSO) at Mandiant, an Alexandria, Va.-based information security vendor that specializes in assessing and addressing complex threats. “To stop them, you need to take a more audit-based approach.”
Analytics Support Network Oversight, Regulatory Compliance
There are a number of benefits to mining machine log data to lock down the network. Perhaps the biggest benefit: Closer, more proactive oversight.
Statistics from Mandiant indicate that 46 percent of compromised machines have no malware on them, meaning the threats are deeper in the network and therefore require more consistent scrutiny. With this approach, information security managers don’t have to wait for vendors to assess a threat; instead they can act independently to ask their data questions about behaviors of systems that result in unavailability of key businesses services.
Mark Seward, senior director for security and compliance product marketing at Splunk, a San Francisco company that offers systems to analyze machine generated data, said the right questions are everything. (See “Five Steps to Leverage Big Data for Security.”) Splunk counts Cars.com and Monster Worldwide among its security analytics users.
Seward added that while mining data in this fashion rarely remediates problems completely, the answers can help security managers determine which accounts are wreaking havoc so they can address the problems separately. “Security officials have gotten used to asking security vendors for the ‘Easy Button,’ but creative hackers have ensured that there never will be such a thing,” Seward said, referring to the meme that appears in a number of advertisements for the Staples office supply chain. “The creativity behind the different ways a company can leverage big data levels the playing field.”
Splunk tracks all types of machine data from both security and non-security sources. Security sources include anti-malware, intrusion detection, firewall, and data loss prevention systems. Non-security sources include endpoint logs, email servers, Web servers, Active Directory and other network resources.
Seward noted that once the data has been analyzed, readouts show security incidents aggregated by domain, product type and severity. “The anomalies are the things we look for as threats,” he said.
Another benefit: Compliance. By recording every bit and byte that is moved across the network, every action of every computer across the company, information security managers are compiling a bulletproof record of what they need to fulfill state and federal requirements for collecting and maintaining specific audit trails.
Bejtlich, the CSO at Mandiant, put it best when he said, “When you’re capturing data from everywhere, you’ve got records of everything at your disposal at all times.” He added that while most companies don’t need to access this information frequently, if at all, when they do—for any reason—it’s there.
A third benefit from this approach comes in the analytics themselves. Scott Paly, CEO of Global DataGuard, a security vendor in Dallas, noted that by analyzing data for vulnerabilities and previous breaches, companies can begin to learn about their network, eventually predicting a certain number of attacks before they occur.
The company offers Adaptive Predictive Packet Analysis to monitor all communications inside a network in real-time; according to Paly, over the course of millions of processes, the absence of a valid prediction indicates something hostile. “The more you investigate the data, the more you learn,” he said. “Once you’ve learned what’s normal, you can predict it in the future, and if it deviates, you know you’ve got a problem.”
Challenges with the Big Data Approach
Despite these benefits, there still are big challenges with embracing a big data approach.
“[Most] companies apply lots of small patch or point solutions to their network hoping to prevent leaking,” said Sridhar Karnam, director of product marketing for enterprise security at HP, which offers the ArcSight Security Intelligence SIEM system used by companies in a range of industries, including financial services, government, health care and manufacturing. “[They] treat security as a checkbox solution as opposed to a strategy.”
Naturally, this take is short-sighted. A recent HP study of CISOs showed that one out of every two companies will be breached in 18 months. What’s more, according to “The Cost of Cyber Crime 2012,” an annual study conducted by the Ponemon Institute and sponsored by HP, a typical breach without tools takes 24 days to respond.
A second challenge is storage. Especially with large networks, the process of storing data recorded from every single log and every single device or application can be a Herculean undertaking. Many companies outsource this storage to companies like Splunk. Others keep the data on-site, socking away terabytes in the event that they ever need to run tests.
Analytics to Anticipate Threats
Because analytics help information security look at patterns of activity rather than preparing for a specific threat, they should be play a role going forward.
Paly of Global DataGuard, suggested that hackers likely will become more sophisticated, figuring out ways around SIEM systems, adding this dynamic would reiterate the need for adaptive and predictive analysis of machine log data for threats. “It’s hard to know what you don’t know,” he said.
Neil MacDonald, an analyst with Gartner, agreed, noting in a March 2012 report that “the end goal is improved, risk-based information security decision making based on prioritized, actionable insight derived from the data.”
MacDonald went so far as to predict that a new role for “security data scientist” will emerge in many enterprises over the next few years. Only time will tell.