Big Data Analytics and Cyber-Security is Vega’s topic of the month.
You can find our monthly technical review at page 3, and few examples of Israeli solutions for this topic at page 5.
A
CHANGING THREAT LANDSCAPE
The cyber
threat landscape has changed dramatically over the last 5 years. The new
industrialization and internationalization of digital criminality combined with
the limited legal responses available have enabled the dramatic growth and
convergence of both simple and
sophisticated
attacks.
It is now generally accepted, not only in
the security profession but also in the Boardroom, that every organization will
be attacked in one form or another on a regular basis. Some of those attacks
will inevitably succeed. This is driving changes in the defensive stance of
leading firms, where a greater emphasis is now being placed on identifying and limiting
damage from successful attacks. Previously many firms had the stated goal of
preventing all possible attacks.
As a direct
result, effective and efficient security operations have become a key cyber
defense capability within many leading organizations. Innovative and leading
commercial organizations are now building increased security monitoring and
security analytics capabilities to sit alongside effective threat intelligence
and critical incident management capabilities. Their goal is to predict, to
limit and to manage the inevitable attacks they will face.
INCREASED
MONITORING LEADS TO BIG DATA
Cyber
security analytics is rapidly becoming a Big Data application for one simple reason:
large organizations are collecting, processing and analyzing more and more data
in order to effectively address the new cyber threat landscape.
The promise
of Security Information & Event Management (SIEM) technologies was to
deliver advanced analytics capabilities. The reality is that SIEM products
weren’t
designed for
Big Data analytics and generally cannot meet the rapidly evolving needs that
leading commercial organizations now demand.
SIEM does
provide a good foundation for security monitoring in providing a near real-time
signature or rules-based detection capability to look for known threats. SIEM
is also great for compliance and reporting. However, SIEM does not scale to
detect the unknown threats across all the available data. Data often has to be
pre-filtered before being loaded in to a SIEM. This effectively presupposes
where the risk lies. SIEM cannot do the advanced security analytics that are required
today.
It is likely
the SIEM platforms and the current range of Big Data cyber security analytics
platforms will move towards convergence over the next five years. However, this
is new ground for both groups of vendors and for now separate products remain
necessary to achieve the full potential benefits of each.
BEHAVIORAL
ANALYTICS FOR DETECTION
Behavioral
analytics understand past human behavior, predict future behavior and identify
anomalous behavior. Behavioral analytics have been used extensively in fraud
detection and prevention because different individuals naturally display different
behaviors and legitimate behaviour is practically always different from that
exhibited by a fraudster.
Behavioral
analytics takes advantage of this fact. Rather
than just looking for specific indicators, behavioral analytics combines
knowledge with monitoring to determine if behavior is expected and legitimate,
or suspicious.
Behavioral analytics
is a Big Data challenge not only because of the volumes of data involved, but
also because of the need to bring a wide variety of data sources and formats
together to create a full picture. Cyber security analytics is increasingly
adopting behavioral Analytics, from the fraud detection field, in order to
address the reality that traditional security solutions have proven ineffective
against the incredible variety and volume of digital criminality, such as cyber
espionage, cyber crime, hacktivism and the insider threat. This emerging cyber
and fraud threat detection convergence means that the benefits realized from
behavioral analytics in combating both will increasingly drive even greater operational
efficiencies and investment decisions.
Behavioral
analytics are proving to be more robust, enduring and effective than traditional
signature and rules based analytics. Figure 1
demonstrates the contrast between the two. In short, an organization
using behavioral analytics will find anomalies that other point solutions and systems
cannot.
A BIG
DATA PLATFORM FOR INVESTIGATION
The
operational cost of the technology and people required to effectively detect,
triage and investigate security incidents is too high. Limits on data
collection, non-interoperable tooling and subsequent data mining means that
once suspicious indicators have been identified it can take weeks for a cyber-investigator
to collect and analyze the data from across a large enterprise required to
identify the appropriate response.
Big Data
platforms can enable faster query times and a more seamless approach for security
analysts retrieving and analyzing data across multiple sources and formats.
In most cases
Big Data Cyber security solution will comprises of three core components:
- Platform - Massively scalable technology platform that correlates data acquired from across the IT infrastructure
- Analytics - Behavior-based threat detection using unique attack models
- Investigator - Powerful threat intelligence management and investigation toolset providing visualizations, rich contextualization and correlation of threats, indicators, events and alerts.
SUMMARY
As a result
of the rapidly changing and expanding cyber threat landscape many organizations
have increased their security monitoring capabilities both in terms of volume and
variety of data. As such Cyber Security analysis is now becoming a Big Data
problem for both the detection and investigation of incidents.