Is there an industry -- outside of maybe professional baseball -- with more buzzwords, analogies and acronyms than IT? Security plays along especially nicely; vendor marketing machines are quite adept at pounding APT, BYOD and even cloud into the ground until you wince every time you hear these terms --and eventually ignore them.
With that as context, we now have big data -- oh excuse me, Big Data -- which has made its way into the friendly confines of information security. It’s security’s equivalent of baseball's OPS. You’re not a Hadoop Hall of Famer if you haven’t plugged some huge analytics machine into all your other analytics machines that’s able to spit out some shiny report pointing out exactly how that BYOD Android tablet led to an APT attacker sniffing all your PII and IP and sending it to some proxy server in Omaha that’s really a front for China’s PLA. Phew, thank goodness you bought that GRC/SIM/NBAD thingy from RSA. Or is it EMC? Get the picture?
Well, it is important to get the picture. But is it realistic today in 2012? Prolly not.
You see, none of this security Big Data stuff is really baked out yet. Sure you can pump some Lidocaine and B12 into your SIM, but at the end of the day, it’s still a SIM on steroids. It’s not a real analytics tool; it’s an even fancier compliance report generator (checkmark PCI requirement 10). I mean, can you really do Big Data for security without a data scientist?
O.K., dialing back the cynicism for a minute, this whole notion of having better visibility into what’s happening on your network and endpoints is crucial. Attackers don’t make a lot of noise anymore; chances are they are on your networks pivoting with legitimate credentials until they find what they want. And stuff is moving off your networks. You need to understand what normal network behavior is, find anomalies and choke them off. Yes, much easier said than done, and eventually, someday, way down the line, you’ll have a data scientist who, with the help of some automation, will know exactly how, when and where attacks happen and will help you stop them. Of course, attackers will be off to their next attack vector, but you get the point.
Not to entirely belittle this; some enterprises and large ecommerce sites are doing stuff similar to this already. Zions Bancorp became the security Big Data poster child at RSA Conference 2012 about a month ago. The enterprise mines security data across its enterprise using a Hadoop-based security data warehouse that accepts feeds from its Windows logs, intrusion detection and more. Zions uses a mash-up of commercial and homemade analytics tools, plus its very own data scientist, to improve forensics and fraud detection efforts.
“Big data is not entirely hype… We think it’s a game changer for the industry,” said Zions CSO Preston Wood.
StubHub, the online platform for event ticket buyers and sellers, is probably a more realistic example of today’s Big Data security. Robert Capps’ team manages risk for StubHub, which he says means looking for things on their platform that are out of character and could lead to either financial loss or a bad experience for their customers. Capps, senior manager of trust and safety, has a good grasp on the transaction flows on the StubHub site based on a long history of good transactions his team uses as a baseline for anomaly detection. They also employ relatively new technology from startup Silver Tail Systems that does fraud prevention based on its capability to watch how websites are used and alert business owners to changes in behavior, such as spikes on relatively obscure webpages. The business can respond and adjust business logic flows accordingly.
Capps had one such anomaly when he learned there was unusual traffic on StubHub’s add-payment-type feature. Attackers using a small number of IP addresses were rapidly adding credit card numbers they’d stolen to legitimate accounts they’d created to determine if the card numbers were still valid. This abuse of legitimate business logic wasn’t picked up by an IPS, which saw legitimate Web traffic, or a SIM, which saw only whether credit cards were added successfully.
Capps says he caught another abuse of legitimate business processes and logic. Attackers were using public APIs that give authenticated ticket sellers an analysis of similar ticket prices in their regions; the service helps sellers price their tickets. The data in small snippets isn’t useful to a competitor, for example, but a scripted attack scraping every event and prices for every arena section for example, is incredibly useful.
Capps says he believed his IPS, SIM and other analytical tools weren’t effective at analyzing security events but didn’t have the data to support it. By taking a real-time analytics approach, he says he’s able to identify problems and change his company’s security response without changing the customer experience.
“IPS is great if someone is trying to attack your firewall; it’s not real good at identifying bad actors who are getting in with good traffic, especially if they’re using your Web application like everyone else,” Capps says. “I’d rather have a tool that says this looks odd and doesn’t fit with my transaction flows. That was the direction I needed to identify zero-day attacks; I consider someone hitting my add-a-credit-card function a zero-day attack.”
Buzzwords, analogies, acronyms, and hype aside, it sounds like analyzing security data in 2012 is probably more about thinking outside the box, than necessarily buying a box.
About the author:
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Follow him on Twitter @Mike_Mimoso. Send comments on this column to firstname.lastname@example.org.