BOSTON -- Big data security analytics could revolutionize enterprise information security, according to one former...
CISO. While the benefits for an organization can extend beyond infosec, convincing executives to buy in can be a challenge.
Wednesday at the 2015 SecureWorld conference, Demetrios "Laz" Lazarikos, IT security researcher and strategist for Los Angeles-based Blue Lava Consulting LLC, recounted his time working as the chief information security officer for the online division of retail giant Sears Inc., where he implemented a threat detection system using big data security analytics.
Lazarikos said Sears built a security data correlation and risk engine and had all of its data routed into a single security big data system, including behavior analytics, cyberthreat intelligence, geographic intelligence and other alerts.
The system was rolled out in three phases, beginning with a small environment to learn how the system would react. Phase two included defining and classifying alerts, creating SOPs for those alerts, integrating the system with the operations dashboard, and training operations on how to use the system. Phase three put the system into full operation with more data sources added, advanced alerts using correlation and trends implemented, and more infrastructure operations analysts trained.
Once fully implemented, Lazarikos said, the platform yielded impressive results. Before implementing the big data system, it would take 10 people 12 hours to research each alert to determine what had actually happened, but after the system was in place, that same process took two people just 10 minutes per alert.
Lazarikos described a number of surprising findings from the data, including the realization that if searches for women's shoes or clothing were originating from more than three different source countries at the same time, it was an indicator that a DDoS attack was in the works. The analytics also helped Sears learn that bots can fill out loyalty program sign-up forms in milliseconds rather than the few minutes it would take a human, another indicator of malicious activity.
Each of these scenarios highlighted one of the biggest lessons learned from the new platform, namely how much the information security team's activities overlapped with those of the fraud team; each attack scenario might begin as a security issue, but if successful, it would often cross over to become an incident for the fraud group.
Getting executive buy-in for security big data analytics
Lazarikos noted that a top priority in putting his security big data analytics platform in place was getting the board and executives to agree.
Lazarikos explained that his strategy for getting executive buy-in for his security big data analytics implementation included writing reports that explained all of the concepts in business terms, being comprehensive with exposure risk compared to protection strength, and explaining all vulnerabilities in terms of the dollar value that each could cost the organization. On top of all that, he added, a little bit of public shaming helped to move things along.
"If you 'cc:' everyone involved with IT audit," said Lazarikos, "it makes it much harder for execs to ignore a potential threat."
SecureWorld attendee Brian Carey, manager of information security at Waltham, Mass.-based cement wholesaler Holcim US Inc., was impressed with the presentation and the potential of the big data system that Lazarikos described, but had trouble connecting what the platform could do with the budget and resource constraints of smaller companies like his.
"The concepts are great," said Carey, "but this seems far too big for many organizations. When you have a small team and limited budget, it can be difficult to get past being reactive to breaches and become more proactive.
"All infosec programs follow the same sort of intelligence," Carey added. "The hard thing with any of these programs is what's the first step. I wouldn't even know where to start."
Carey agreed that the platform described by Lazarikos could be valuable for large retailers, and said it would be surprising if companies like Target Inc. or The TJX Companies Inc. didn't implement something like this. However, he thought smaller companies should focus more on sharing threat intelligence.
"The community is how we can get better, by picking each other's brains, realizing that we all face the same threats and breaches, and sharing how we took on similar problems," Carey said. "If we live in the bubbles of our own companies, we'll never get anywhere."
Learn more about the new era of big data security analytics.