Big data analytics and an intelligence-driven security strategy
A rapidly evolving threat landscape and the evisceration of the traditional network perimeter by cloud and mobile computing technologies require organizations to adopt a more intelligence-driven approach to enterprise security.
Strategies that are based purely on blocking threats at the network edge are clearly no longer enough. The massive intrusions at Home Depot, Target, JPMorgan Chase, and dozens of other organizations show that threat actors have figured out not only how to breach perimeter defenses but also how to remain undetected on enterprise networks for long periods.
Shifting Focus
There is growing consensus within the security community that enterprises, however well prepared they might be, are not going to be able to prevent every single attack directed at their networks. The attack surface is too broad and threat actors have too many options for organizations to realistically breach-proof themselves anymore.
The focus of enterprise information security strategies, therefore, should be to enable capabilities for detecting and responding to intrusions faster. What organizations need to keep in mind is that most of the data losses that Target, Home Depot, and others suffered resulted from their failure to detect the intrusions quickly enough—at least as much as their failure to prevent the attack in the first place.
Rather than just blocking and tackling at the network edge, security teams should focus on building a holistic situational awareness capability for spotting and shutting down malicious behavior before major damage occurs, says Zulfikar Ramzan, chief technology officer at RSA.
“The smart attackers are going to find their way through. So the real question is, what do you do when that happens?” he says. “The shift is really about visibility and understanding what is going on across all of your information assets, endpoints, and network,” in order to formulate an efficient response.
Intelligence-driven Security
In such an intelligence-driven model, an organization would know what threats are launched against its networks or systems, know quickly when a breach occurs, understand the exposure and the associated risks, and know exactly what measures to take to contain and mitigate damage. The organization would have a baseline for normal network behavior and be able to identify deviations from that behavior quickly—across the entire network.
Implementing such a capability requires organizations to tap into, collect, correlate, and contextualize data from multiple internal and external sources.
Examples of internal data sources include network event data, packet and log data from security devices, application servers, and other systems. Many organizations already routinely collect and store such data for regulatory compliance reasons and for tasks like post-breach forensic analysis.
But for truly intelligence-oriented security, organizations need to be able to add context around the data they collect from internal sources, says Ryan Olson, intelligence director at Palo Alto Networks’ Unit 42 threat intelligence group. That means fusing it with data collected from external sources about adversaries, their tactics, techniques and procedures, as well as about malware tools and threat indicators, Olson says.
By collecting and consolidating all of the information and running analytics tools against the data, organizations can gain important real-time insights about the risks they face, their exposure to threats, and the actions they need to take in response to security incidents, he says.
Such clarity is vital to mounting a good response. For example, not all organizations have the same risk profile or are attacked for the same reasons, Olson says. An online gambling site is likely more concerned about a denial-of-service attack, for example, while a website that deals with a lot of financial information is more exercised about ID thieves and cyber theft.
So knowing the adversaries and the tactics they employ can be useful in formulating an appropriate response to an incident, he says.
Organizations armed with information like the IP addresses, domains, and file hashes associated with a particular set of threat actors would know precisely what to look for and block if that group attacks. Importantly, if they know the adversary, they would also know what to look for in terms of malicious actions by the threat actors. For example, the response to an adversary known for stealing intellectual property and trade secrets would be different from the response to a threat actor known for stealing customer data.
“You want to be able to predict what an attack would look like,” based on an understanding of an adversary’s techniques and tactics, Olson says. “You want to be able to monitor the system and have a plan that is crafted for the adversary,” rather than a generic incident response plan, he says.
The Data Analytics Factor
An intelligence-driven security model can enable better threat-detection capabilities and the ability to do real-time risk identification and response. But a great deal depends on an organization’s ability to analyze the vast quantities of data generated by internal and external sources and to derive actionable intelligence from it.
Security Information and Event Management (SIEM) tools have long played a role in helping enterprises derive some forensic value from the log and event data generated by firewalls, intrusion-detection and intrusion-prevention systems, and from security tools on endpoint devices. Organizations use these tools for tasks such as identifying the cause of a breach or for meeting regulatory compliance requirements.
But far more robust big data analytics capabilities are required to enable a truly intelligence-driven security model, says Engin Kirda, a professor at the College of Computer and Information Science at Northeastern University in Boston. Intelligence-driven security is more than just collecting information, putting it into a central database, and looking at it, Kirda says. “It’s about smart algorithms, machine learning, and doing things in a quick way,” with really large data sets.
SIEM tools do not offer the kind of deep visibility across the network and outside of it that an intelligence-driven security model requires, adds Olson from Palo Alto Networks. In addition to data about an adversary, enterprises need to be able to pull enough information from internal logs to be able to identify who might be attacking it and formulate a response. “If I have a lot of logs and a lot of data that have to be searched and correlated, I need the ability to perform analytics at scale,” Olson says.
The Big Data Challenge
The amount of data that can be generated by internal and external systems can range from tens to hundreds of gigabytes daily for some organizations. It is not unusual for large enterprises to generate hundreds of millions of event logs on a daily basis.
The Big Data Working Group at the Cloud Security Alliance predicts the numbers will only grow as enterprises enable event logging for more data sources, install more devices, hire more employees, and deploy more software.
“Existing analytical techniques do not work well at this scale and typically produce so many false positives that their efficacy is undermined,” the CSA notes. So over the next few years, organizations will need to invest in big data analytics tools that can help them sift through massive data sets for actionable security information, the group says.
Getting there will involve overcoming some challenges. As organizations add more data sources, it will become increasingly harder for them to verify the trustworthiness of every source, says the CSA. Securing big data stores could become a problem as organizations collect and consolidate ever-larger volumes of data. Importantly, enterprises will still have to rely on human analysts to interpret the data generated by such systems, the CSA notes.
Enterprises lacking in-house analysts will require intuitive, easy-to-use security monitoring tools and analytics capabilities to make sense of the massive data volumes, Kirda says.
Enabling an Intelligence-driven Security Organization
A robust security intelligence capability starts with big data analytics, according to RSA.
Other suggestions include setting up a shared architecture for information security, migrating from point products to unified technologies where possible in order to streamline data gathering, leveraging external threat intelligence, and using open source tools to prevent vendor lock-in.
Current trends suggest that enterprises will have an increasingly hard time preventing malicious actors from gaining access to their networks. But they can harden their defenses and improve detection and response by applying threat intelligence and big data analytics.
An intelligence-driven security model, powered by big data analytics, can help you to be better prepared to deal with current and emerging security threats. But in order to get there, you need to first recognize that the threat landscape has changed irrevocably over the past few years and that a perimeter-centric focus is no longer enough for mitigating risk.
