There has been a significant amount of talk about big data lately in the media particularly at the RSA security conference. However, many people are still unclear as to what constitutes big data and furthermore what its implications are to us as security professionals. Within this brief article, I shall try and address both these points.
First let’s look at what big data is – according to EMC / IDC’s definition it is a new generation of technologies and architectures, designed to economically extract value from very large volumes of a wide variety of data, by enabling high velocity capture, discovery, and/or analysis. IBM says that “three characteristics define big data” namely Volume (Terabytes -> Zettabytes), Variety (Structured -> Semi-structured -> Unstructured) and Velocity (Batch -> Streaming Data).
So having looked at what constitutes big data, let’s look at its implications to us as security professionals. The first is its ability to aid in the timely detection of security events. With dissolving security boundaries and more sophisticated adversaries, the security threat is ever increasing. The increased threat landscape now means that we can no longer just rely on security information from traditional sources such as network logs, SIEM system alerts and application access controls. It is becoming increasingly necessary to couple this information with other sources to get a true and timelier picture of security threats. These sources of information should include both external sources such as social media sites, threat intelligence feeds, website clickstreams as well as contextual information about the business and its assets itself.
By incorporating this big data into security programs, organisations gain richer context for assessing risk and learning what’s ‘normal’ for a particular user, group, business process to computing environment. As organisations develop fuller, more nuanced profiles of both systems and users, security teams can enhance their ability to spot aberrant activity or behaviours which often indicate issues. This big data analysis promises to give companies a full picture of who’s coming into their network, who’s talking to whom, and spot anomalies or atypical user behaviour while it is still actionable.
Big data analytics is likely to have an impact on the following key security areas:
• Security management – the convergence of SIEM, network monitoring capabilities and external threat intelligence will create a security analytics platform capable of massive and diverse real-time data collection and threat analysis. This convergence creates a unified security management system that can assimilate all information that could possibly inform security and allow them to detect threats in near real-time and respond to them before they do too much damage.
• Identity and access management (IAM) – next generation tools will enable risk based, adaptive identity controls that continuously evaluate and adjust the level of protection and access based on asset criticality and risk. By enabling situation-aware IAM, such tools provide continuous risk assessment of user activity, especially when accessing sensitive resources, even after initial authentication. Profiles are based on historical behaviour formulating what normal behaviour looks likes and altering to any deviations. As such, provisioning of access is done on demand and enforcement on the fly based on accepted and expected user behaviours and system enforced rules.
• Fraud prevention – this is possibly the most current example of big data analysis at the moment. This involves analysing massive amounts behavioural data and other diverse indicators to distinguish between malicious and legitimate business activities. Activities not following the normal pattern are then highlighted for follow up and possibly stopped from progressing. The credit card fraud prevention system Falcon is a great example of this.
• Governance, risk and compliance (GRC) – as the scope for GRC programs grow, the amount of data that such systems will need to handle will also grow exponentially. GRC platforms will need to analyse this Big Data to provide real time access to the entirety of information relevant to understanding business risks and to prioritising security activities. These programs will help identify the assets, their criticality and threats and allow organisations to take actions quicker and in a more informed manner to mitigate these treats.
In order to build a Big Data security program, the following steps are necessary:
• Set a holistic security strategy – prepare a security program that addresses your organisation’s unique security risks, threats and requirements. Make big data analytics a part of the strategy.
• Establish a shared data architecture for security information – since big data analytics requires information to be collected from various sources in many different formats, a single architecture that allows all information to be captured, indexed, normalised and analysed, and shared is required.
• Migrate from point products to a unified security architecture – developing a unified security analytics framework is required and care should be taken to ensure security products can be integrated within this framework. If a product does not easily allow you to do this, consideration may have to be given to discontinue using the product as it may end up becoming a blind spot.
• Look for open and scalable big data security tools – use tools and technologies that favour agile analytics based approaches as opposed to static tools based on threat signatures or network boundaries. The Big Data ready tools should offer the architectural flexibility to change as the business, IT or threat landscape changes.
• Strengthen the SoC’s data analytics skills – ensure that SoC staff have the capability to effectively develop analytical models that detect, and even prevent illicit activities.
• Leverage external threat intelligence – augment internal security analytics programs with external threat intelligence activities to provide a fuller picture of the threat landscape and enhance the ability to detect and prevent attacks.
I have spent the bulk of this article talking about the application of big data analytics to the cyber security field. Let’s for forget that organisations are increasing using big data analytics techniques to analyse business data to find previously unseen trends. These trends then allow businesses to make more informed decisions and choices, for example, by targeting existing customers with new products based on usage patterns revealed by the consumption of existing products.
Just as any business data requires protections, so does big data. The complexity that arises here is the volume and variety of the data itself. Since a lot of this data likely to be unstructured and stored in various locations, pin pointing them, classifying them and protecting them becomes difficult. In this instance, the best approach is to go back to first principles and protect any business related data with well-established internal security standards. Without this in place, the input data and the resulting conclusions can be severely skewed or incorrect, or worse will fall into the wrong hand. It is also worthy of note that this data protection needs to be applied to security data as well otherwise you end up not being able to detect incidents or be able to use the data in a court of law for prosecution purposes.
Big data presents new and exciting opportunities for businesses both in the cyber security and business analytics spaces. Its use and protection is paramount to ensure organisations get the best out of big data analytics.
Reference: Big Data Fuels Intelligence-Driven Security, RSA Security Brief, January 2013.