momius - Fotolia

RSA: Cloud visibility, analytics crucial to enterprises

RSA's Rashmi Knowles spoke with SearchCloudSecurity about enterprises struggling with security visibility, and how analytics and data science can help.

RSA's Rashmi Knowles said enterprises today are facing more obstacles than ever before to gain proper security visibility, thanks to the growing volume of data facing infosec teams.

Knowles, chief security architect of RSA's EMEA (Europe, Middle East and Africa) region, said in order to get a handle on the heaps of information being generated by various security products, enterprises need to embrace security analytics. She also discussed the challenges of gaining cloud visibility and how cloud environments can provide security benefits to enterprises.

Knowles spoke with SearchCloudSecurity at RSA Conference 2016 in San Francisco about security trends from the EMEA region, the promise of security analytics and data science, and the challenges of turning massive amounts of data into actionable intelligence and strong security visibility. Here is part two of the interview with Knowles.

Given the size of the EMEA region, do you get a lot of diverse feedback when it comes to enterprise security strategies?

Rashmi Knowles: Very much so, because there [are] very different levels of maturity. So, U.K., France and Germany are probably the three countries that are most mature in terms of security, and I think all the other countries are on their way or are pretty immature.

I think there are the traditional ones, like financial services, who are always ahead of the curve. I do a lot of work with financial services. I run kind of a clinic, which I call my Oprah Winfrey sessions, and it's open to the top 500 financial institutions in the city of London. So, they set the agenda and we discuss it, and we do that once a month. They share ideas amongst themselves. So, it's quite interesting, because they get something out of it. And I think, typically, financial institutions are ahead of the game and they invest a lot more, and the risk is much higher and they understand risk. Marrying the IT risk with the business risk is something that they actually do very well, whereas I think a lot of other organizations really struggle with that glue in between.

So, if you're looking at maturity levels, then you need to be looking at IT risk. And a lot of them don't make that leap to actually understand that if they had a compromise on a file server, and they know the IP address of the file server -- they may think that they have a good handle on security -- but, actually, if you had a compromise and you had to make a decision to say, 'Shut that server down immediately,' would they know what effect it has on their business risk? Most organizations have no idea.

That's been talked about a lot the last couple of days -- having the ability to not just operate all of these disparate security products, but the challenge of making sense of the information they generate and aggregating the data from both on premises and cloud into something that's useful and actionable.

Some of our mature customers definitely are getting a lot of benefit from security analytics and being able to see what they couldn't see before.
Rashmi Knowleschief security architect, EMEA at RSA

Knowles: Right. I think the product piece is getting there; you saw the announcement that we made about behavior analytics. I think a lot of companies have a lot of data, and that's not necessarily a good thing, right? So, if you have visibility and look at the type of data that you can collect, then you end up with identities, network, full packet capture, transaction analysis [and] applications -- you actually end up with a lot of data. And when you have to investigate something, a lot of organizations have 12 different places that they would need to go to in order to actually collect the data. And I've seen customers do this: A lot of them have a spreadsheet, which is on a different system, so they actually go and collect the data, and actually physically put [it] into spreadsheet and try and make some sense out of that. Now, by the time they do that, it's too late.

So, I think the tools and capabilities are available today to actually look at the visibility of all that data, to be able to correlate all that data and apply some analysis to it. And that's where things like big data and data science comes in. And data science is an interesting thing as well ... because ... data scientists are probably more expensive and rarer than security people.

So, the challenge is having the human element to do the analysis.

Knowles: Yes. Pick something like security analytics. We've actually built the data science modules into that, so you get the benefit of having data science capabilities without having to invest in the right people to actually do some of that work for you. It doesn't take away the human element, but it actually makes it easier for them. You're collecting the data, you're applying the analysis and you're saying, 'Instead of focusing on these 1,000 incidents that happen every day, focus on these five instead, because they are the five that you actually need to investigate.'

Are most enterprises you talk with exploring security analytics? Do they know they have all of this data, and they need to parse it and decide what needs to be acted on?

Knowles: I think so, and I think that mindset's changing. If you're a mature organization, you would have some capability or some kind of product that's a SIEM (security information and event management). But I think everybody now understands that SIEM is very limited; it may give you log information, but ... because you don't have deep packet visibility, you're actually only looking at the envelope -- you're not opening the envelope to see what's inside it. And we know that if you look at advanced attacks, then you actually need to have full visibility. If you can't see everything that you've got, then you can't protect it. And ... a lot of our customers that we speak to are beginning to understand that. Some of our mature customers definitely are getting a lot of benefit from security analytics and being able to see what they couldn't see before.

So, what are they seeing?

Knowles: It's a real eye-opener, and some of them get really surprised. I'll give you some examples here. Think of command-and-control sites or beaconing sites. So, an enterprise is where they feel that they have a good handle on their environment, but then you go and put something like security analytics in, and they see all this traffic, which is going out to unknown domains somewhere else -- beaconing out to command-and-control servers. They've never seen that, and they're not aware of that at all. So, I think when they see things like that, that's when they get the real value of it. And, of course, with something like security analytics, because you've got a big data engine, you're storing all that data, and so you can do historical analyses as well. So by doing historical analysis, you can actually say, 'Well, in the last six months, how many of our servers have been communicating out to those suspicious domains?'

You touched on cloud visibility earlier, but how does the cloud affect the effort to gain visibility and clarity of all this security data?

Knowles: If you think about a basic virtualization platform, then cloud visibility is very powerful there, because you can see everything. It's not like a traditional IT environment, where you've got a lot of disparate systems and different operating systems or whatever. If you think of a cloud as lots of virtual stacks, then definitely that gives you better visibility, and I think it also gives you a lot better control. Take something as simple as patching. Quite often, when I speak at events and I talk about our whole strategy, somebody always puts the hand up at the back and says, 'Rashmi, that's all very good stuff, but we're still struggling with patch management or vulnerability management.' In the cloud, that's so easy to do, because you just need to do it once. You don't have to do this whole cycle of continuous patching.

Who's responsible for all of that? For a long time, it seemed there was a mentality that when you push stuff to the cloud, it was the cloud provider's problem.

Knowles: I think at the end of the day, if the data is breached, it's your responsibility -- it's your data. So, the fact that it's in the cloud ... you still need to know where that data is. And when it comes to things like GRC (governance, risk and compliance), you need to make sure that all the GRC controls apply to that data, even if it is in the cloud. If you have a breach, it's not going to be the cloud service provider's data. It's going to be your data. So, I think the good cloud service providers actually offer that capability for cloud visibility. You have your own pane of glass where you actually can see what your data's doing, you can make sure the controls are appropriate and also see if the data is moving. Because that's the other thing: A lot of cloud service providers may have three or four different locations and they may say, 'Oh, we're shutting that site down today for maintenance,' and the data's going to be somewhere else out there. So, when it's somewhere out there, are the controls that you've got around that data still relevant? Are they still living and breathing with that data before it comes back to your regular site? So, I think that level of cloud visibility is offered by the good service providers.

What are enterprises doing with that data and visibility besides mitigating threats?

Knowles: If you're using security analytics, then the platform wants to give you some metrics. One of the most commonly asked questions I get when I talk to customers is, 'What metrics would you present to a board?' So, if you are CISO or if you're responsible for security in an organization, and when you go talk to the board, what language do you talk to them in when it comes to security, and what metrics are they interested in? The [threat] intelligence, the security analytics and the behavior analytics pieces of it all come together in a bigger picture, so you can actually say this is the progress that we've made from the data collection standpoint. So, I think it's an interesting way of looking at it. It's not going to give you the dollar value. It's not going to say it will save $100,000 or whatever, but it actually shows some progress.

Does it also help enterprises determine what types of cloud apps and service to actually authorize and deploy across the company? Because there's got to be ROI from moving off of legacy applications to less expensive cloud services.

Knowles: Yes, that's a really good point. And we're also seeing the cloud service providers actually specializing in things. We have cloud service providers who set themselves up specifically for retail. So, they'll actually take away the full onus of PCI DSS requirements and say, 'OK, we'll manage, we'll take your PCI responsibility. You just send us the transactions, we'll process them.' I think there are a lot of service providers who are now popping up who are actually saying, 'We only do financial services,' or 'We only do healthcare.' And I think that's a really good thing, because ... from a regulatory and a GRC perspective, that means at least the service provider understands the constraints around what you do with that data.

Next Steps

Read part one of the interview with RSA's Rashmi Knowles

Learn more about Netskope's patent for cloud visibility and governance

Find out what security expert Paul Vixie says about Internet crime

Dig Deeper on Real-time network monitoring and forensics