As cyber attacks become more advanced and damaging, organizations are looking to integrate Big Data tools and techniques into their security operations to optimize threat detection and investigation. Organizations can no longer rely on traditional security systems that monitor and analyze only a slice of information from a portion of their environment. Nor can organizations depend on traditional perimeter or signature based systems, as they have not been able to stop today’s more sophisticated attackers. Organizations need full visibility into the security conditions of all networked assets, as well as external threat intelligence data to better monitor and detect suspicious activity.
Through technologies such as Hadoop, Big Data promises the collection and analysis of a wider scope of security data, and RSA leads this effort with RSA Security Analytics. Enterprise-wide network traffic and log event data, as well as the most up-to-date threat intelligence can be captured and analyzed in near real time so security analysts can better detect, investigate, and understand threats they could not easily see or understand before.
The bottom line is that no security system is bulletproof; therefore, to minimize damage, RSA Security Analytics helps organizations reduce an attacker’s “free time” from weeks to hours through better detection and investigation capabilities. I spoke with Matthew Gardiner, Senior Manager at RSA to provide more details on how Big Data can address the dynamic nature of Internet Security.
1. How has the attacker profile changed, creating more advanced threats?
The attacker is now more sophisticated, with a business model targeting very specific financial data, customer data, and intellectual property. A planned attack can be against virtually any organization – from an unknown organization that is part of a supply chain or a high profile organization such as Amazon.com or Wells Fargo for example. Smart robbers don’t just bash a window and walk in. The best robbers take the time to survey and monitor their target, make virtual friends or connections inside the organization to gain information and steal credentials in order to plan a successful attack. Social networking services have made this surveillance step infinitely easier.
2. It is already possible to detect and investigate security breaches with today’s SIEM technologies. How does RSA Security Analytics go beyond what a traditional SIEM system can do to be more effective?
SIEM technologies gain visibility almost exclusively through log data so it’s great for protecting against traditional and less sophisticated brute force attacks, but not against more stealthy and targeted attacks. RSA Security Analytics leverages Big Data to gain visibility into more data sources at a detailed level such as network packet data and external threat intelligence data, and draw intelligence from them in near real-time.
3. Why do organizations need to invest in detective technologies, doesn’t it make more sense to improve prevention?
Most organizations have heavily focused on prevention such as strong authentication and access controls, but nothing is full proof in preventing today’s advanced attack. In fact attacks can come from witting and unwitting insiders, so your preventive systems have already been largely breach; therefore, you also need to invest in security technologies for detection and remediation to essentially backstop your preventive security program. Prevention is the first line of defense, but after this the goal needs to be to immediately detect and remedy vulnerabilities and underway attacks. Security Analytics focuses on improving security detection through more effective monitoring, and Big Data allows us to capture and analyze the detailed data needed to quickly and more accurately discover and investigate threats. Time and prioritization are hyper critical to do the detection security job well.
The rise of Security Operations Centers (SOCs) in organizations is an organizational reaction to the need for better security detection. In fact, security analysts in these centers are the ones driving the demand for security analytics since they are responsible for enterprise wide, 24X7 security monitoring for their entire enterprise.
4. RSA Security Analytics leverages Big Data technologies to deliver its security analytics infrastructure. Describe the architecture – data ingestion, storage and management, and analytics.
Our architecture can be classified as Big Data because we provide both real time and historical analysis of very large, fast changing data sets that are being ingested often at line rates from both structured and unstructured data sources. The real time component is home grown, while the longer term collection and analytic component is built on Hadoop. Both components are needed for fast and accurate detection. You need the historical data to understand what is normal and to forensically investigate past IT activity, and then use the real time component to quickly detect and investigate what is not normal that is going on in the recent past. The Security Analytics infrastructure is available in a series of on premise deployment options – SMB, Branch Office, Data Center, and Global Monitoring.
5. Security analytics alone cannot minimize risk. How does this solution enable security analysts to more effectively and efficiently discover and investigate security issues?
Through a single web dashboard, Security Analytics enables security analysts quickly take action on alerts within a few clicks to dramatically reduce the attacker free time. It is more effective because alerts are more accurate, generated from external threat intelligence correlated with internal security data. It is more efficient because analysts use the same interface to investigate by easily drilling and pivoting through terabytes of relevant data. The faster analysts can conduct investigations the more investigations they can conduct and the more remediation projects they can see get done. Helping to move their organizations from reactive to more proactive security.