Sometimes, it seems that talk of “big data”, “security
analytics”, and “big data security analytics” can dominate discourse within the
information security profession. This
tends to produce a confusing and somewhat overwhelming environment for the
enterprise buyer, where all of the words and ideas can begin to blend together. Since I spent over a decade on the
enterprise/operational side before moving to the vendor side, I can sympathize
with the confusion this can bring to the enterprise audience. Leaders in the enterprise have many
responsibilities, and it is difficult for them to keep track of the large
number of vendors and what each vendor's specialty is.
Many enterprises see the need and share a desire to be doing
"big data" and "security analytics", and thus, it's not
particularly surprising that many vendors are offering "big data" and
"security analytics" solutions.
But what does it actually mean to do "big data" and "security
analytics"? I think it's helpful to
take a step back and think a level deeper about this in order to better
understand it.
At a high level, "big data" and "security
analytics" are about the two very different, but equally important
concepts of collection and analysis. Allow
me to explain. Before it is possible to
run analytics, one needs the right data upon which to run those analytics. Before "big data" emerged as a
buzzword, this was called "collection" or "instrumentation of
the network and endpoint". Further,
in order to run analytics, one also needs a high performance platform upon
which to issue the precise, targeted, incisive queries required by analytics. Before "security analytics" emerged
as a buzzword, this was sometimes called analysis or forensics, among other
terms.
Collection and analysis, at enterprise speeds, are both
equally important. If you think about it, you can't really have one without the
other. Or, to put it another way, what
good does the greatest collection capability provide without a way to analyze
that data in a timely and accurate manner? Similarly, what good does the greatest
analytical capability provide without the underlying data to support it?
In addition to being the elements of big data, collection
and analysis form the cornerstone of a strong security program. Collection and analysis provide an
organization with the visibility required to practice Continuous Security
Monitoring (CSM). Although a detailed
discussion of CSM is beyond the scope of this post, the topic has been
discussed at length by NIST, SANS, Gartner, and others. The goal of CSM is to allow an organization to
move rapidly from Detection to Analysis and on to Containment and Remediation. In other words, CSM facilitates and enables
the incident response process and life cycle. An organization’s ultimate goal, when
prevention efforts fail, is to detect and respond to intrusions before they
cause damage to the organization.
Continuous Security Monitoring involves many details. Here are some thoughts on high level
guidelines around strategic steps organizations can take in the area of CSM to improve their information security postures:
- Identification of business risks and concerns to be addressed through Continuous Security Monitoring
- Creation of goals and priorities based on business risks and concerns
- Identification of the least number of data sources of highest value that provide the required visibility across the enterprise
- Collection of relevant data sources
- Exposure of the collected data with sufficient performance to facilitate Detection, Analysis, Containment, and Remediation
- Development of content and logic leveraging the collected data to supply the work queue with high fidelity alerting
- Development of process for investigation and response
While it is tempting to collect all of the available data
within the enterprise, this actually works against the interests of the
security organization. It is prudent to
ensure that the minimal data that provides sufficient context and coverage is
collected, but not more than that. Collecting
more data than required creates two issues:
- Analytical (query) performance degrades rapidly, making timely incident response nearly impossible
- Retention periods shorten, producing historical blind spots that impede response for long present intrusions
Big data is an interesting topic with the potential to be an
incident response enabler. It’s
important to remember that big data involves two equally important but somewhat
diametrically opposed interests – collection and analysis. Both aspects are important, but they have a
tendency to work against each other if left unchecked. It’s important to remember the ultimate goal
of collection and analysis, which is the enablement of timely incident
response. It is in this spirit that we
aim to gain the most information from the smallest subset of data. All the data in the world does you no good if
you cannot leverage it in a timely manner when you need it most. In incident response, less is more.
No comments:
Post a Comment