SAN FRANCISCO -- Big data security analytics is increasingly a necessity for organizations struggling to spot previously...
unknown attacks, but according to a trio of CISOs, enterprise IT teams shouldn't plan on using traditional security products such as SIEM for handling large quantities of data.
Speaking with a panel of CISOs at the 2014 RSA Conference, moderator Neil MacDonald, vice president at Stamford, Conn.-based Gartner Inc., said the term big data may be overhyped in the security community, but it is playing an ever more important role in fending off advanced persistent threats. Traditional, signature-based antivirus products are only good for blocking known attacks, according to MacDonald, but such capabilities are pointless, for example, when hackers utilize malware crafted specifically for a certain organization.
Enterprise security professionals are coming around to the idea that breach prevention is basically impossible, MacDonald noted.
"You must assume the systems will be breached. Once breached, how do you know you've been compromised?" MacDonald asked. "You have to baseline and understand what 'goodness' looks like and look for deviations from goodness. McAfee and Symantec can't tell you what normal looks like in your own systems. Only monitoring anomalies can do that."
MacDonald said that such monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets. Of course, such monitoring can create the sort of large quantities of data that traditional security systems struggle to handle.
Panel member Golan Ben-Oni, CISO for Newark, N.J.-based IDT Corp., said his organization realized several years ago that the ability to collect and correlate data from the network and endpoints was vital. As a result, the company has introduced many new technologies and tools, though Ben-Oni said that determining which products are "best of breed" has been a constant challenge.
Among other measures, IDT now inspects every packet heading to every endpoint, according to Ben-Oni, which has meant the company went from collecting 40 Gb of security data per day to a massive 400 Gb currently. IDT was forced to go back to the vendors, Ben-Oni said, in an attempt to get some visibility into those large sets of data, eventually leading them to try products from two separate security information and event management (SIEM) vendors.
Ben-Oni found SIEM to lack a number of big data analytics capabilities that the company deemed necessary though, including a simple lack of processing speed. Perhaps more importantly, any trends spotted by those SIEM products then required manual action, he noted, meaning that a security analyst would then spend 15 to 20 minutes implementing a rule.
IDT eventually turned to the big data tool Splunk to actually process those large data sets, Ben-Oni said, which allows the company to "act on data immediately." The processed data then gets fed back into the network security products from Palo Alto Networks that the company has deployed, which, with some Python scripting, enables provisional changes to be pushed out automatically.
"Automation brought [the time-consuming process with SIEM] down to seconds," Ben-Oni claimed, noting that there is currently an opportunity for enterprise vendors to write apps for Splunk.
Panelist Ramin Safai, CISO for New York-based investment bank Jefferies & Company, ran into many of the same products as Ben-Oni. When perusing the showroom floor at RSA Conference, Safai joked that he felt like he had already bought "half the products there," but none of them had been the magic bullet promised by the vendors.
Jefferies currently uses FireEye's threat detection products among others to spot advanced attacks, Safai said, and the resulting data is fed into a traditional SIEM product. Though originally sold to him several years ago as the one security product that can handle everything, Safai said SIEM technology is simply "not good enough" because the data is processed too slowly to be useful for analytics.
Jefferies has looked at a number of technologies in this area, Safai said, but has yet to find a product that meets all its needs, with the company also cautious about moving large sets of sensitive data to cloud-based services. Safai has turned to Splunk to process data on security incidents and to generally monitor "bad behaviors" within the company. Jefferies also uses Splunk to spot employees that may be leaving the company in a few weeks, Safai said, in order to ensure they don't leave with sensitive data in tow.
Still, despite finding Splunk useful for sorting through large sets of data, Safai would ultimately like to see the vendors enable enterprises to reduce the amount of data they need to fret over.
"With all the gigs of data we get, we estimate that only 1% to 5% is actually of value, but we don't have the metadata tagging for that 1% to 5%," Safai said. "If vendors could work with us to tag that metadata, to designate certain data to be protected at all costs, that would help us very much."
Panelist Carter Lee, CISO for Salt Lake City-based online retailer Overstock.com, has also attempted to supplement his organization's big data analytics capabilities with tools such as the Apache Hadoop framework, though he noted the company's recognized profit centers, including marketing and sales, tend to keep Hadoop clusters to themselves. Much like Safai, Overstock.com uses threat detection products from FireEye, among other vendors, and ultimately feeds the resulting data sets into Splunk.
Lee mentioned that SIEM can still be used for that initial layer of threat detection, but that it should be seen as just one security technology in a portfolio of products.
"Just like a carpenter has a belt full of tools, that's what we're dealing with," Lee said. "If all you have is a hammer, you're just going to get a bunch of nails driven into wood."
Finding the right security technology to analyze big data sets is hardly the only challenge, though, according to Lee, as he noted that the high demand for qualified IT professionals means his team members are constantly exiting the company for better offers. Of course, that very same trend makes hiring security analysts capable of spotting trends in large data sets very difficult, Lee said, so companies should look to business analysts and others with quantitative experience for possible security converts.
"We have fields and fields of data and nobody to go through it," said Lee, noting that the company mostly fills such positions mostly via internal transfers.
Ben-Oni has faced the same problem as Lee in finding qualified security analytics professionals. IDT also relies on existing employees to transfer into such roles, Ben-Oni said, though the company took the additional step of starting an internal school to spot potential talent.
Attendee Jeremy Ledet, a security analyst for an unnamed manufacturer, said he was fascinated to hear the CISO panel detail their deployments of Splunk and other tools, especially in comparison with his own shop. Ledet's organization currently uses a number of security products, including a few mentioned by the CISOs, but he said none of them provide the "contextual awareness" needed to analyze large sets of data. Those products currently don't even provide any real view into the network or Active Directory, he noted.
Each time one of those security products triggers an alert, Ledet estimated that a security analyst will undergo a "manual process," spending anywhere between 20 and 30 minutes determining what happened. To address those struggles, Ladet said his team is actually rolling out a SIEM product right now, though the panelists' experience left him jittery.
"I'm spending the next two months implementing a SIEM product, and we've been promised the same things [as Safai]. All the reports I've received say we're going to be able to automate this stuff [with SIEM] and make analysts' lives easier," Ledet said. "To hear that is kind of scary. So yeah, we'll have an eye-opening next few weeks."
View all of our RSA 2014 Conference coverage