What You Need to Know About Security Intelligence with Big Data

2013-08-20 10:27:16

 Amplifying security intelligence with big data

Leading security intelligence solutions today rely upon a set of structured and semi-structured data sources, including logs, network traffic and others, to provide the Security Operations Center with an on-going real-time view of their organization’s security posture.  The metrics employed to evaluate solutions include the scale and speed of data that can be processed in real-time, pruning the large set of raw data to a limited set of significant security incidents requiring the attention of the organization.


While security intelligence solutions do enable security analysts to explore the data and identify emerging threats or pinpoint new risk exposures, the focus is on employing an existing portfolio of threat and risk identifiers to enable real-time analysis for detection.  While this approach is effective for monitoring and maintaining the cyber defenses of an organization as well as improving the response time to handle incidents, a new set of challenges are surfacing which requires security intelligence to be amplified with big data analytics.


Proactively mitigating risk and identifying threats


As the organizational perimeter blurs due to rapid market adoption of cloud and mobile technologies as well as consumer engagement in social networks, an organization cannot solely focus on defense. Rather the organization has to be more proactive in mitigating risk and identifying threats.


Attackers are also employing more sophisticated targeted attack techniques such as social engineering, and spear-phishing.  The attack methodologies are also adapting to current defensive approaches – attempting to either hide malicious activities among large amounts of innocuous activity or disguise the intent by appearing to be innocuous activity.  Even current tumultuous economic and social conditions are further motivating new types of malicious behaviors.


The need for big data and big data analytics


Evolving security intelligence to meet the needs of the new security challenges requires big data and big data analytics.


Firstly, an organization needs to keep its traditional security data for longer periods of time to perform analysis on the data.  Historical analysis has the potential of unearthing longer running attack methods and identifies relapses in security over time.


Secondly, data sources not traditionally employed for security can help an organization better qualify what assets and entities need to be protected and/or observed.  For example, identifying users who most often work with sensitive data, and systems that are critical to core business processes.  Data sources such as email, social media content, corporate documents, and web content may help add additional context to traditional security data but are predominantly unstructured data.


Next, a variety of analytics can be performed to reveal security insights from these larger data sets and will require more processing time.  This analysis will need to be done asynchronously to the real-time analysis that traditional security intelligence specializes in.  However, once the analysis is complete, the insights have to be fed back to the real-time component to make the overall solution more effective over time.


Finally, a renewed emphasis needs to be placed on investigative analysis that can initially be categorized as ad hoc before it is codified.  Given the specificity of an organization and its business ecosystem this will be crucial for the security intelligence solution gain contextual awareness necessary for thwarting targeted attacks.


Six categories of use cases


Security Intelligence with Big Data solution will empower an organization to address the needs of a changing security landscape.  The following are categories of use cases where it can prove at least beneficial if not essential:


1. Establish a Baseline


Organization gains an understanding of its ecosystem, what needs to be defended or observed as well as formulating a risk profile enabling it to detect abnormalities.

Common Use Case Questions:

Who are the attractive targets within my enterprise?

Which applications and what data do we need to defend due to their sensitivity?

What is the normal behavior profile for users, assets, and applications?

2. Recognize Advanced Persistent Threats:

Organization gains awareness of a motivated or incentivized attacker who attempts to hide or disguise the attack as innocuous interactions, potentially over a long period of time (months, years).

Common Use Case Questions:

Which assets within my organization are already compromised or are vulnerable?

Which external domains may be the source of attacks?

Are there any low profile network traffic elements that might signal an ongoing or imminent attack?


3. Qualify Insider Threats

Organization gains evidence or is warned of users within the organization’s network who may be inclined to steal intellectual property, compromise enterprise systems or perform other actions that are detrimental to the organization’s operations.

Common Use Case Questions:

What data is being leaked or lost and by whom?

Who internally has the motivation and skills to compromise the cyber operations of the company?

Who is exhibiting abnormal usage behavior?

4. Predict Hacktivism

Organization is alerted to attack from groups or entities that sympathize with causes that are contrary to the business interests of an enterprise.

Common Use Case Questions:

Which controversial issues may trigger a negative sentiment about the organization triggering an increased risk of attack?

How to identify and monitor intentions of entities antagonistic to the organization’s business practices?

How does publicity of the company in the media impact risk?

5. Counter Cyber Attacks

Organization is informed of an impending or on-going attack by criminal enterprises or government funded or government sponsored groups.

Common Use Case Questions:

What is the origin of an attack?

Which hacking tools may be used and who is gaining access to them?

Are their symptoms of an attack underway or being planned manifesting themselves as support issues?


6. Mitigate Fraud

Organization is appraised of new or existing fraud methods that may compromise its compliance with regulations or cause significant losses to its financial operations.

Common Use Case Questions:

How can the organization identify a fraudulent activity?

Which users have compromised identities that may lead to fraudulent activity?

Can well known fraud attempts have patterns can either be detected or even anticipated?

Now its time to get your thoughts on the topic!


Is your organization looking to answer security questions similar to the ones above? Are there questions you want to ask of your data for security purposes that are omitted above? Also, welcome your thoughts on the intersection of security intelligence with business intelligence.