Information security has long been a profession with a keen focus on preventative controls. However, with the cyberthreat becoming increasingly complex, I believe most information security functions need to adopt a control posture that includes sophisticated rapid detection and response capabilities, in addition to preventative controls in order to continue to effectively mitigate risk. This requires harnessing the power of analytics to turn data into intelligence (detection) in order to take rapid action (response). Enter the era of big data security analytics and data-driven security.
To illustrate this point, I’d like to contrast a traditional preventative information security practice to bank branch security. If information security professionals were to secure a branch using a preventative control mindset, the controls might look like this:
Armed guards at every known entrance to the building (firewalls);
Frisking procedures for anyone entering the building (virus scanning);
Blocking access to anyone who can’t clearly state why they want to enter the building (firewall rules); and
Once inside, armed guards continue to probe for appropriate conduct (data loss prevention (DLP)).
Clearly, a bank that adopts these security procedures for their branches might not have many customers visiting their branches.
Executive Vice President and Chief Information Security Officer
Oversees fraud, security analytics and forensics, information security, physical security, corporate investigations, technology and operations risk, and business resiliency objectives for eight banks in eight high-growth Western markets.
More than 15 years of hands-on experience as an IT, security and risk capacity.
Served in multiple leadership and staff capacities throughout his career, giving him a unique blend of skills, combining real-world business and technology experience with a keen understanding of security and risk management.
In order for a bank branch to operate as intended, a particular risk needs to be recognized; people need to enter the branch to conduct business. The problem is, we don’t know if these people are honest law-abiding customers or criminals intending to steal from us. In order to mitigate risk for the branch without inconveniencing customers, we focus equally on prevention, detection and response controls (video surveillance, employee response procedures, rapid law enforcement involvement, etc.). These types of controls help keep risk at an acceptable level.
Like an unknown threat entering a bank branch, it is difficult to quickly determine the threat and mitigate risk to information systems without adopting sophisticated rapid detection and response capabilities and a more data-driven approach to decision making.
We started down our big data journey of becoming a data-driven security organization many years ago when we realized our security information and event management security information and event management (SIEM) platform was underperforming, and ultimately not helping us truly analyze the data we were capturing. Rather than continue to support a platform that didn’t allow us to become more data-driven, we recognized that in order to capture, retain and analyze data we needed to invest in an infrastructure much more akin to business intelligence technologies than traditional security technologies. Over the past six years we have invested in people with the skills to analyze data and the technologies with the scale and performance to adequately handle the massive amounts of data necessary for robust security analytics. This has resulted in what we like to call our security data warehouse.
The core of our security data warehouse is Hadoop, but it is not the sole technology that makes up our analytic capabilities. The security data warehouse is more of an ecosystem of technologies assembled in a way that allows us to store massive amounts of varying data, quickly access this data for analysis, and turn the analysis into actionable intelligence. Fortunately, technologies are now being made available for organizations to create their own security analytics ecosystem.
Having the technology in place to leverage big data for security is only part of the equation—it is equally important to have people with the skill set to conduct analysis. No tool is going to magically turn data into intelligence; it takes people with inquisitive minds and data analytics skill sets to make connections between varieties of data points.
Unfortunately, because the industry has focused so long on preventative control solutions (and often commercial off-the-shelf preventative solutions), I believe there will be a relearning for security professionals in order to be more data-driven. This relearning will require that security professionals start asking questions of their data and develop more data analytic skills.
I believe we are on the edge of an exciting new era for the information security field, an era in which organizations have the ability to analyze internal and external data and turn it into actionable intelligence. Those who choose to adopt a data-driven direction will be able to better rationalize their control costs, blend quantitative and qualitative decision making for improved risk management, and ultimately gain a much-needed edge in our rapidly changing information economy.
Information Security's 2012 Security 7 winners:
Dig Deeper on Network Intrusion Detection and Analysis