Applying Big Data principles to information security
“With the pervasiveness of Big Data touching on everything we do, our attack surface will be altered and expanded and our risks magnified in ways we couldn’t have imagined,” says Art Coviello, executive vice president of EMC and chairman of its security division, RSA.
He says this development comes in the context of the convergence of massive information growth with mobility, social media and the cloud.
Coviello underscores the massive amount of data in question; noting that stored digital content is doubling every two years, reaching one zettabyte (“the equivalent of 4.9 quadrillion books”) in 2012.
The “internet of things” or the proliferation of connected devices such as smart meters, vending machines, cars and medical gadgets is also pushing the growth of consumable data.
By 2020 analysts predict these connected devices can reach tens of billions and perhaps as many as 200 billion objects.
He says that while most common business analytics tools are based on structured data using relational databases, the “real goldmine” lies in unstructured data, which is five times larger and growing three times faster than structured data.
Yet, he says IDC estimates less than than 1 percent of this data is being analysed.
The ‘crown jewels’ of the enterprise
With the development of new tools and technologies to analyse all this information, data applications and stores will become the “crown jewels” of an enterprise.
“For once, this tired cliché is actually appropriate,” he says, as this valuable information can be readily accessed in the cloud via mobile devices across hyperconnected enterprises. The challenge is that this information is also available to adversaries as well.
Coviello reiterates his message from the previous year’s conference on the need to adopt “intelligence driven security”.
The latter, he says, requires a thorough understanding of risk, the use of agile controls based on pattern recognition and predictive analytics to replace outdated static controls, and the ability to analyse vast amounts of data from numerous sources to produce actionable information.
This model is based on what he calls “security Big Data” and can be applied in two ways – in security management and the development and application of individual controls.
Because the sources of security data are almost limitless, there is a need for security management beyond traditional security information and event management, he says.
Organisations, for instance, must have full visibility into all of its data – both structured and unstructured, and from across internal and external sources.
Big Data architectures will be scalable enough such that all data can be analysed, no matter how expansive or fast changing.
“Organisations will be able to build a mosaic of specific information about digital assets, users and infrastructure - allowing the system to spot and correlate abnormal behaviour in people and, in the flow and use of data.”
The security ‘asymmetry’
Data analysis, meanwhile, allows businesses to baseline what is normal in their organisation. “Normal is the new intelligence,” says Francis deSouza, president of products and services at Symantec. “You can tell when you are behaving abnormally – you understand whether you are under attack or not.”
DeSouza, meanwhile, notes the “asymmetry” between the security teams and cybercriminals.
“Attackers have to be right just once and we [security teams] have to be right all the time,” he says.
“We are now close to the end of the decade of weaponised malware,” he says.
DeSouza shared some of the trends Symantec researchers have observed in the past year.
Among these is the growth in the number of multi-flank attacks on a single enterprise in order to confuse and distract security teams.
A recent case involved a European bank that had suffered from denial of service attacks at 5 am on a Friday. While the security team was trying to keep the online site alive, the attackers embarked on a phishing attack and focused on stealing credit card account information.
The attackers created fake ATM cards and went to an outsourced provider of “money mules” who went to ATMs around the world and drained bank accounts. “There is a pretty robust ecosystem to provide services at various stages of the attack,” he says.
He also notes the “rising sophistication” of back end infrastructure that runs the hosting environments.
De Souza describes these as “bullet proof” operations that can be housed across multiple countries with “softer” regulatory and enforcement environments. This strategy makes it hard for enterprises and law enforcers to figure out where attacks are coming from.
At the same time, he notes the growth of malware targeting “nontraditional environments” such as water utilities and power plants.
With the emergence of contracts that are capable of producing cyberweapons or repurposing cyberweapons, most countries have access to very sophisticated cyber weapons, he says. Today, he says, a small country can disrupt operations of a much larger, developed country.
“We are seeing organised criminals act in a more sophisticated way, with military grade operations and access to same set of weapons.”
He says the Big Data trend, however, can also lead to “big intelligence” on what is happening on the threat landscape. “Who is after you, what campaign are they running, what are they after? What are the fingerprints of these attacks? Can these attacks be tracked to individuals, organisations, countries?”
He says at Symantec this information is used by researchers to build an identity around campaigns and attackers to help predict the next target. They can then talk to organisations, to tell them to expect this type of campaign and what they need to do.
RSA’s Coviello, meanwhile, lists a series of steps enterprises can take to manage the shifting threat landscape.
- The first is a “transformational security strategy”. This involves designing a plan that transitions existing security infrastructure to an intelligence driven one, integrating Big Data capabilities as they become available.
- The next is to create shared data architecture for security information. Because big data analytics require information to be collected from various sources and different formats, a single architecture will allow all the information to be captured, indexed, analysed and shared.
- The third is to migrate from point products to a unified security architecture using open and scalable Big Data tools.
- The fourth is to strengthen the operation’s data science skills. Security leaders should add data scientists to manage the organisation’s big data capabilities efficiently, says Covellio. Because data scientists in security are scarce, many organisations will want to consider using outside partners to supplement internal security analytics work.
- The fifth is to augment internal security analytics with external threat intelligence services, getting information “from as many sources as possible”.
- Finally, enterprises should use external threat intelligence. Augment internal security analytics programs with external threat intelligence services from as many sources as possible, he advises.
Divina Paredes attended the RSA Conference 2013 in San Francisco as a guest of RSA.
Rob Fyfe receives CIO Lifetime Contribution Award
Cited for 'his approach to innovation and his courage and leadership in supporting technology based initiatives' as CIO and CEO at Air New Zealand.
Chief flexibility officer: The next CIO role?
The world is changing so quickly, and every company's business model has to change as well, says V.C. Gopalratnam, vice president, IT at Cisco. 'You really have to build an organisation that is as flexible as hell.'
CONNECT WITH @ CIO NZ
CIO is bringing together the best of MIS NZ and CIO, the new look CIO is the only magazine that focuses on the unique management needs of senior IT professionals.
Get the latest news from CIO delivered via email.
MIS 100 REPORT
The definitive guide to New Zealand's largest and most significant ICT users.
READ NOW »