A visualisation tool for big data analysis is helping security administrators drill down to isolate potential security threats after security vendor Watchguard this week unleashed a cloud-based security-intelligence tool designed for easy deployment by enterprises and managed service providers.
Created to help make sense of a mountain of logging and security event data, the company's Dimension application is the latest in a string of security tools designed to extract new insight from large volumes of aggregate data.
"Up to this point, the industry has kept logging and reporting as two very separate systems that require their own expertise and mastery to get going," Watchguard A/NZ country manager Pat Devlin told CSO Australia.
"People have been telling us it's difficult to manage log data on security devices, with too many logs coming through and no real business intelligence capabilities for them. And smaller companies often have the exact opposite issue: they don't know if they should be storing logs, then they have an incident and need to go back and do some forensic analysis. It's too late to want logs after the fact."
Positioning its new tool as an add-on for its established based of managed security providers (MSP) partners – as well as customers using its universal threat management (UTM) security tools – Watchguard has bundled Dimension as a virtual machine that can be quickly run up inside Amazon Web Services or other virtual-server hosting environments.
This architecture not only allows for easy local and remote access, but reduces the burden on local storage by allowing an ever-expanding amount of log data to be stored directly in the cloud, Devlin pointed out.
"It's independent of the SAN so you can allocate as much space as you need to," he said. "And it makes it very easy for managed service partners to offer it as service – having an offsite login server, generating automated reports, and being able to immediately drill in and analyse what's going on. This is a huge bonus for companies offering security as a service, who mostly just cobble together something on their own."
Better visibility of usage logs isn't just about spotting bandwidth hogs or security incursions: one Australian school has, Devlin said, already used the platform's improved visibility to cost-justify an investment in additional bandwidth after it became clear that large volumes of regular Windows and application updates had increased the school's bandwidth baseline significantly.
A range of views inside the app groups IP data requests by domain, source, protocol, destination and other attributes to help identify large users of bandwidth, resource-consuming applications, and more. Dashboard views show potentially unwanted sites that have been filtered by the UTM engine, top sources and destinations of traffic, and other summaries designed to facilitate the process of spotting and investigating anomalous network behaviour.
Automatic mapping to usernames (via Active Directory integration) or onto geographical sources facilitates security investigations by, for example, isolating all traffic to domains located in countries that aren't normally contacted. Questionable domains can be geoblocked within the Watchguard framework, which is also able to analyse data from other security tools after pulling it into the appliances using existing integration capabilities.