Government IT professionals say they are drowning in security data and are in desperate need of analytics tools,...
according to a new study.
Government IT network MeriTalk conducted a study on the lack of security data analytics in government agencies and the need for such tools, surveying more than 300 government cyber security professionals from federal, state and local agencies. The survey, underwritten by data analytics firm Splunk Inc., found that 68% of professionals say their organization is overwhelmed by the amount of data they receive. While 86% of respondents believe analyzing big data would significantly improve their information security efforts, only 28% are actually leveraging security analytics products.
"A big data analytics platform can serve as the nerve center harnessing data from many different sources: devices, websites, firewalls and mobile devices," said Adam Cohn, director of government affairs and public policy at Splunk. "Our view is that security teams need an infrastructure-wide view of the activities all across their systems and networks in order to really identify and stop attackers."
Adam Cohndirector of government affairs and public policy, Splunk Inc.
In addition, the study found another troubling data point: cyber threats exist on government networks for an average of 16 days before identification. The amount of time the attacker stays in a system depends on the attacker's capability and intent, but any extended period of time spent on a network is too long, said Cohn. It gives time for attackers to steal or damage the infrastructure or establish presence.
"As a general rule, it's good to detect and contain those attackers as quickly as possible," Cohn said. "The more sophisticated and resourced the attacker, the longer it takes for detection. Or [the more] mature and organized the defender's enterprise, the faster the attack can be detained."
But what can be done with all this data?
"Yesterday's hardened perimeter and compliance approach to cyber security is not working," the MeriTalk study stated. "Government cyber pros are overwhelmed with security data -- storage, management and analysis. They need a more efficient and agile game plan."
The fact that malware is always changing makes it difficult to use a signature-based approach, Cohn said. Looking at big data can lead to finding anomalies that show that some actor is doing something they shouldn't be doing.
The big picture, according to Splunk, requires looking at log data from all devices and applications; the flow data of what's going on across the network; the threat intelligence from outside of the organization; and the contextual data, such as who should be on the network and what kind of access they should have.
Unless these four types of information are able to be correlated, Cohn said, the company is at a disadvantage in detecting an attack.