Can Big Data transform the security landscape the same way as it is doing in other sectors such as healthcare, retail and education? Experts believe Big Data will have a transformative effect on security, due to the sheer volume and complexity of information that security analysts collect from a myriad number of tools and event management systems. Most information security departments have to grapple with huge amount of data collected from a variety of servers, workstations, firewalls, intrusion detection systems and anti-virus software.
The findings of new American research from the Enterprise Strategy Group (ESG) sponsored by Symantec underline the challenges posed by the growing volume of data and the challenges posed to security researchers. More and more companies are collecting a lot more data than they used to two years ago, predominantly to detect advanced threats and for security incident analysis, as well as to make sure audits and compliance targets are met. ESG data indicates that large organizations are collecting more disparate data feeds, keeping this data online for longer periods of time, and using the data for more types of security analysis and investigations. In spite of all this, internal data collection and analysis is no longer enough.
“Large organizations are collecting, processing, storing, and analyzing more and more data in order to address the threat landscape and keep up with changes to the IT infrastructure. As an example, ESG found that 76 percent of enterprises collect data on user activity, 75 percent collect firewall log data, and 74 percent collect data on physical security activity within their organizations,” points out Anand Naik, Managing Director - Sales, India & SAARC, Symantec.
In this ‘sea’ of data, it is extremely challenging for security professionals to weed out real threats. Current security tools are not equipped to detect and prevent sophisticated threats. “Current security solutions rely upon perimeter defense and focus largely on blocking attacks. Traditional security technologies lack the sophisticated capabilities and visibility required to detect and protect against such attacks. At best, they solve a single facet of the problem,” opines Vaidyanathan R Iyer, Business Unit Executive, Security Solutions, IBM India/SA.
With the convergence of technologies like mobile, social and cloud, threats have accelerated to a different level with an exponential increase in volume and complexity. Mobile malware threats in particular, have risen to a new level. “With the use of many Android devices, many malicious applications have started dwelling in the mobile phone space. This is a huge concern for organizations when they see such devices accessing the corporate network,” says Amit Nath, Country Manager, India and SAARC, Trend Micro.
"Traditional security technologies lack the capabilities to detect and protect against sophisticated attacks"
Vaidyanat han R Iyer, Business Unit Executive, Security Solutions, IBM India/SA
This was also highlighted by security vendor, F-Secure, which recently warned that the number of mobile threats increased by nearly 50 percent during the first three months of 2013. Threats have also become more personalized and sophisticated, making their detection extremely difficult. “Each threat is more targeted than before, which means there are very few samples in the wild. This helps evade detection through the traditional fingerprinting method. These complex, multi-vector attacks present CISOs with the challenge of not only knowing what the malware is but all its characteristics, such as where did it get in from, is it still on the network, what is its objective? Finding such answers may be like looking for needles in haystacks, but in this world of compressed margins and efficiency savings it will be insight, not information that means power,” explains Naik of Symantec.
THE IMPORTANCE OF CONTEXT
To prevent emerging threats, security tools have to go beyond prevention and piece together different sets of information drawn from different events. For example, today, it is essential for event collection programs to go beyond firewall and IDS events, and add context.
“Identifying anomalous sequences of events at all layers of the stack is not enough. Understanding anomalous activity requires an understanding of the context — the “who, what and why”. For example, when valuable data is in play by a user who typically does not access that data and is using an unrecognized application on a mobile device that does not have monitoring software on it and recently communicated with an external server that is known to host malware — that’s really important. But without context, it looks like a user ID is accessing a file. These contextual elements are constantly changing, and this requires a new approach for ensuring their collection,” states Srinivasa Boggaram, SE Team Lead - India, McAfee, emphasizing the importance of context in security.
Big Data, hence, is both a challenge and opportunity. Boggaram of McAfee sums this up beautifully when he says, ”As security needs have evolved, so has the need for context, analytics and the time period for which data must be stored. That’s why security today is facing both a big security data challenge and opportunity. It is an opportunity if an organization can collect all this data, intelligently manage and analyze it, and leverage it for investigations. It is also a challenge as most traditional analytic tools today are unable to collect and manage all the contextual data required. The data load and the analytics pressure have grown beyond what these data management systems can handle.”
"As security needs have evolved, so has the need for context, analytics and the time period for which data must be stored"
Srinivasa Boggaram, SE Team Lead - India, McAfee
Boggaram says that a traditional analytics tool can take into consideration only traditional context information, and other things like network flow, user identity, locations etc. But this is not enough to understand what is going on. “It gets compelling when we add content. What data was moving? How were applications affected? What databases were targeted? This is where we get a strong understanding of not only what is going on, but what was exfiltrated from our environment. This is a grand concept for most analytic tools, but more is expected from our environment and bringing in dynamic content. Dynamic content is the ability to understand the changing world that is the threat landscape, the changing risk posture, which encompasses an organization’s IT environment.”
Big Data security analytics can be useful in providing this context, by analyzing huge volumes of network traffic, understanding the relationship between multiple events and combining this information to prevent an attack from taking place. For example, seemingly innocent actions such as sending or accessing files at unknown times and from unknown locations and devices can be used to piece together the understanding of a threat.
Agrees Kartik Shahani, Country Manager, RSA India, “The integration of proven Big Data platforms and analytic methods into security tools provides a significant advancement to how security is performed. Big Data security analytics for real-time risk management will provide continuous monitoring for situational awareness, rogue assets, configuration management, and vulnerability detection while asymmetric Big Data security analytics for risk management will be used for risk management planning, scoring, and investment decisions. Organizations can use asymmetric Big Data security analytics to develop risk scores that help them better focus resources, investments, and security priorities to where they are needed the most.”
Big Data security analytics can provide CISOs with real-time security intelligence and situational awareness across all layers of the technology stack. This addresses a massive gap in the way security systems analyze threats today.