However, by leveraging these same trends and viewing them from a big data picture, organizations can extract tremendous value with a greater chance of detecting and responding to otherwise undetected security incidents.
We will never get to 100 percent attack prevention -- so it comes down to how well we prepare ourselves for the next attack and how well we work through the process of identifying, blocking, and remediating, while cooperating with the audit, forensic, and legal teams that are waiting in the wings for their cue to join in on the action.
While IT security is often viewed as insurance or as a cost center for the business, ultimately it is about getting the best ROI out of the security program put in place. In terms of big data, it is about extracting value from the data we have available, security specific and otherwise.
A plan that incorporates big data into the security process enables the IT security organization to not only protect the organization from compromise, but also to potentially contribute to the bottom line of the business. If IT can bring new business services online by reducing the risk level to an acceptable amount via its use of big data, this could equate to additional revenue that would otherwise have been unattainable.
To reach this state, the big data and the analysis tool sets need to make it into the hands of the individuals throughout the organization who can make good use of this data.
Bring visibility to the business context: Pretty much everyone recognizes that individual events analyzed separately and on their own oftentimes produces little value from a security perspective. Take, for example, a log entry capturing the creation of an administrative account. This, on its own, seems pretty innocuous. However, tie that same event to other events that show the account creation taking place on a HIPAA-regulated clinical trial database server via a remote system connection, and things get a little more interesting.
Enable advanced threat detection: Advanced attacks will use many techniques to find their way into an organization. They will then leverage as much data as possible to travel the network and make their way onto vulnerable, soon-to-be backdoors with the ultimate goal of gaining access to the treasure-laden business systems. Once in, the attackers will take extreme measures to remain undetected.
It's less about getting in and getting out with as much as possible in the shortest amount of time as it's about getting in, taking the time to learn as much as possible about the environment in order to remain permanently attached to the infrastructure. To meet this goal, cyber criminals may employ a series of seemingly-disconnected “micro-attacks”, running slow and low over a period of months, or even years. Simply looking at only yesterday's data, or even last month's data, will leave these threats undetected.
Search for suspicious activity: Generally speaking, it has become relatively easy to identify the known threat. Typically, we know what its name is, what it looks like, and how it operates. Sure, there will always be variants, but ultimately those can be easily detected before widespread damage occurs.
The really hard stuff is finding the unknown attack that does everything in its power to remain undetected. This is the attack that didn't find its way in to the organization through a traditional, known, or well-monitored channel. This attack doesn't use known methods to propagate, take control of systems and extract data. This attack doesn't look like, nor act like, anything else previously seen on the network.
To find these types of attacks, organizations need streams of data from all relevant IT systems, including internal systems and cloud-based or hosted systems, security-related or otherwise.
This is especially true if an organization is to identify an inside job where the fraudsters and partners know as much about the infrastructure and security mechanisms as the IT security team itself does. Organizations also need tools that allow them to search and traverse the big data that has been collected, looking for anomalies among similar data sets, breaks or abnormalities in trends, suspicious network or system activity; questionable user events; and inappropriately-set policies, just to mention a few. One can't chart a path for this, as the map has yet to be drawn. Proceed with instinct, common sense, and a bit of gathered intelligence.
Gain enhanced response intelligence: Common sense leads most to respond to an incident by immediately blocking the malicious activity, disconnecting the device(s) from the network, and heading straight to the remediation and cleanup process. This could prove to be a horrible mistake, however, if one of the following occurs:
- The system is in the middle of performing a critical business function that will cost the organization thousands of dollars by being disconnected from the network or taken offline. Context is key here. It might be better to simply prevent the attack from spreading, let the system perform its function, and then remediate once the job has been completed.
- The forensics team and/or law enforcement are unable to find the root cause and identify the source of the attack because not enough relevant data was collected. Response intelligence is key here. More historical data may be necessary, and ongoing monitoring and data collection may be required to truly understand how, when, and where to react when it comes to internal investigations and law enforcement purposes.
- The incident may result in some form of legal activity where evidence must be submitted. Forensically sound evidence collection is key here. The right amount of data from the right period of time is necessary to set the stage for the activity, prove that the activity took place at these times on these systems by these users, and show the steps taken by the IT security staff as they responded to the incident. Too little evidence or tampered evidence is not really evidence, it's just data. Proof that the data remains intact is critical.
All said and done, with the big data storage capabilities and big data search-and-analysis tools available on the market today, it is extremely feasible for organizations to gain massive security insight from big data. Make no mistake about it, big data is a big deal, and the IT security teams must look at this as not a tedious chore, but rather as an opportunity to bring added value to the business.
Sean Martin is a CISSP and the founder of imsmartin consulting. Email him at firstname.lastname@example.org.