Information security is a big data issue
Share this item with your network:
& Ahead in the Clouds
& Fintech makes the world go around
Microsoft CEO Satya Nadella on why empathy is essential for technology innovation
HMRC accused of suppressing IR35 stakeholder views on public sector contractor walkouts
The correlation between creativity, diversity and the future tech workforce
Companies have long moved from the Fort Knox approach to IT security, realising that simply placing big walls around critical data can never be enough to fully protect the network. The challenge has become one of intelligence - monitoring and analysing all the activity taking place across every element of the IT infrastructure to identify threats.
Corporate E-mail Address:
You forgot to provide an Email Address.
This email address doesn’t appear to be valid.
This email address is already registered. Please .
You have exceeded the maximum character limit.
Please provide a Corporate E-mail Address.
By submitting your personal information, you agree that TechTarget and its
may contact you regarding relevant content, products and special offers.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the
But as a result, businesses are generating terabytes of security-related data every day, placing a huge analysis and reporting burden on hard-pressed information security teams. This is exacerbated by increasing demands by regulators, compliance teams and auditors for proof that security controls are working.
First-generation
technologies have been overwhelmed by the sheer volume.
in itself.
Take financial services giant Barclays, for example.
The bank generates 44 billion security events per month - a figure set to reach 65 billion by the end of the year, according to Stephen Gailey, former group head of security services for Barclays.
The company has long since gone beyond the capabilities of its conventional , Gailey told a gathering of IT security leaders at Computer Weekly’s .
“We ended up deploying a SIEM, and for a while it was a great solution. It brought in data from all our disparate sources and allowed me to build a security operations team and feed events to them. They were able to react in real time,” he said.
But as people wanted to ask more analytical questions of the SIEM data, and as new technologies were added to the network, such as domain controllers and proxy servers, the data collected became less useful.
“Suddenly all this data became no good to me, I was just storing it. So we threw out the SIEM and about three years ago implemented a big data solution,” he said.
“That SIEM had ceased to be able to cope at about 500 million events per day. It was a struggle to bring in new data sources because I had to go back to the SIEM vendor every time, and we couldn’t query the retained data.”
As a result, Gailey implemented software from
- a decision that proved so successful that, two months ago, he left Barclays and went to work as a product evangelist for the supplier.
Regulatory compliance
Barclays realised that using Splunk to analyse data in real time meant it no longer needed SIEM.
“We could bring in new data sources that we couldn’t use with SIEM. If you’re in a regulated environment you can’t throw a lot of this data away,” said Gailey.
. The bank has to prove that all its controls are effective - the investment banking division alone has 176 separate regulators it has to satisfy worldwide.
One of the fraud-related regulations recommends that traders take a mandatory two-week holiday every year during which they are not allowed to log in to any systems, to prevent them hiding any fraudulent activity that may be revealed in their absence.
For example, when
caused EUR4.9bn of losses at French bank Soci&t& G&n&rale, he never took a holiday because he always had to keep hiding his fraudulent trading.
Barclays’ compliance teams need to prove traders are not logging in during such periods. The firm did not have a holiday booking system to check against, so Gailey used Splunk to analyse log-in data to identify in real time all people who did not log in for a two-week period, which could be cross-checked against relevant staff.
Considering that some traders would have to log in to potentially dozens of different systems, generating huge amounts of security events, Gailey said such a task would not have been possible using the old
“We were able to answer that question in real time, something we would never have been able to do before,” he said.
Another system used at Barclays was . Combining FireEye outputs with Splunk allowed Gailey’s team to highlight a number of previously unknown problems without having to purchase large numbers of FireEye devices.
“Apart from the obvious security challenge, Barclays used big data to help with compliance, audit and regulation. Information security teams are being asked to do a lot more than they ever have - it’s not just about configuring firewalls and so on, it’s about ticking all the compliance boxes. Getting compliance right is a big thing in a regulated environment. We have moved into a world where it’s not enough to have security controls, you have to demonstrate they are ubiquitous and they work,” said Gailey.
“ because the data that has a security context is huge. It’s not just a collection of security tools producing data, it’s your whole organisation. If you’re going to ignore some of that data, or if you can’t analyse it, then you are not doing security properly. Every little thing you miss or ignore might make the difference to your company.”
Breach detection
guests that security event analytics is a vital tool in improving detection of breaches.
“The point is to understand is what is normal, to know what is not,” he said.
People think that having more and more logs give us more insight. I don’t believe that’s the right concept. It’s not about big data, it’s about relevant data
Jitender Arora, GE Capital
Research suggests most security breaches are detected by third parties, not by the affected company itself - yet in 84% of breaches system logs were available to discover if a breach was taking place, said Singh.
“A lot of [IT security] is still check-box driven. It is reactive,” he said.
“For true visibility you need advanced analytics. You need the skills and the people who can give you that.”
A key task is to define what is normal for your organisation, Singh said. This covers many areas, such as user identity management, asset classification, threat intelligence, as well as information to give context to security events.
“What comes out of this are reports, alerts and intelligence about what is happening in your organisation, which helps to define normal,” he said.
“You can then identify users that are behaving outside of the norm. If they are identified early on their access can be disabled and potentially a breach stopped.”
But Jitender Arora, senior programme manager of security and risk at GE Capital Europe, warns against allowing the buzzword and hype around big data to take the focus away from the core principles of risk management.
“Data is just data. It doesn’t tell me anything,” he said.
“What I’m interested in is analysing data to come up with meaningful information that can tell me how to improve the situation. If data is not in the right business context, it can be completely irrelevant.”
Arora said the huge volume of security data, combined with new big data tools such as Hadoop, can lead to a loss of discipline over managing that data because people assume they can store it all and then make use of it later.
“People think that having more and more logs give us more insight. I don’t believe that’s the right concept. It’s not about big data, it’s about relevant data,” he said.
“Big data is just sold as the next big thing. Every time we get a new buzzword, people think it is going to come along and solve all their problems. Unfortunately, I don’t think so.”
Context is everything
Arora cited the example of Hurricane Sandy, which wreaked havoc along parts of the north-east US coast last year. Some 20 million tweets were written on Twitter about the disaster, peaking before and after the passing of the hurricane.
But subsequent analysis showed that the majority of tweets originated in Manhattan, which was not threatened by the storm. Very few of the tweets actually came from the affected areas.
“If an emergency response team was using that data to help plan their activity, they would have got it wrong - they missed the context,” said Arora.
“Not every type of data will give you all the insights you need. The future is about having the right data analytics capability.”
Another myth is that big data will make companies more proactive in managing security, said Arora. Prioritising data analysis based on business need is more important, he said: “All it can do is make us react much faster. Analysts can generate reports faster and understand events faster, as well as help in forensic examinations. If you think that by implementing big data it will make you proactive, it’s not going to happen. It’s not about big, but about relevant data.”
But Gailey concluded that a big data approach will help companies to gain a better understanding of the scale of modern information security challenges.
“I don’t think anybody is estimating the real . Organisations either don’t know or are very bad at estimating,” he said.
“Is security a big data problem? It is, because there is a big amount of data out there with security in it that you need to analyse.”
E-Handbook
Read more on IT risk management
The Kaspersky news has IT pros pondering everything from the dystopia of zero-trust security to deliverance by blockchain. Also: ...
Innovation at Starbucks is served up in many forms. EVP and CTO Gerri Martin-Flickinger breaks down the coffee giant's latest ...
As more organizations turn to a combination of cloud-based and on-premises systems, protecting data in a hybrid IT environment ...
A recent patching issue with Flash drew attention to shortcomings with Adobe's HTTP security headers. Judith Myerson discusses ...
Security researchers find drive-by download attacks affecting both Equifax and TransUnion, but Equifax claims systems were not ...
News roundup: The DOJ calls for 'responsible encryption' to comply with court orders. Plus, there's more bad cybersecurity news ...
Companies want SD-WAN to become a piece of a multifunction network appliance for the branch. Therefore, SD-WAN vendors are adding...
Bloggers explore cybersecurity evolution and its impact on network security, new network fabrics from Extreme and take a deep ...
The latest major release of the Cisco ACI fabric, ACI 3.0, is aimed at large enterprises looking for a single console to deliver ...
The search is on to replace DRAM in the future data center, one of many evolutions to come for data center hardware, one industry...
To find the best Linux distro for Docker, compare options from Red Hat, Ubuntu, VMware and more to make a match and smoothly run ...
In the XFS, Ext4, Btrfs and ZFS comparison, Linux users will say goodbye to Btrfs in RHEL 8. Learn more about your options and ...
There are good reasons to move big data systems to the cloud, but doing so also poses challenges for IT teams on migrating ...
At the Strata conference in New York, IT managers detailed steps they're taking to improve data quality in their big data ...
Using cloud databases is now more a matter of when than if at many companies. There's also the question of how, as Microsoft, ...SECURITYWEEK NETWORK:
Security Experts:
& Surveillance is the Business Model of the Internet: Bruce Schneier
on April 09, 2014
BOSTON - SOURCE CONFERENCE - Data is a natural consequence of computing, and as search tools get better, it shifts the balance of power towards mass collection and surveillance, renowned security expert Bruce Schneier said at the
on Wednesday.
“Surveillance is the business model of the Internet,” Schneier told attendees. “We build systems that spy on people in exchange for services. Corporations call it marketing."
The data economy--the growth of mass data collection and tracking--is changing how power is perceived, Schneier said in his keynote speech. The Internet and technology has changed the impact a group can have on others, where dissidents can use the Internet to amplify their voices and extend their reach. Governments already have a lot of power to begin with, so when they take advantage of technology, their power is magnified, he said.
“That's how you get weird situations where Syrian dissidents use Facebook to organize, and the government uses Facebook to arrest its citizens,” Schneier said.
Over the past few years, it's become easier and cheaper to store data and search for the necessary item rather than to sort and delete. Email is a very good example of this shift in behavior. This change, spurred by the popularity of mobile devices and the push to move more data and services to the cloud has also made it easier to track user behavior. When corporations track users for marketing purposes, it seems benign, but the same actions come across as sinister when it's the government.
Data is a by-product of the information society and socialization, Schneier told attendees. It has become easier to do things online, and the very act of doing something using technology results in data. For example, he described how an IM conversation was data--for its content, but also by virtue of the fact that it happened. Details about when it happened, who the conversation was with, the geographic locations of the participants, and other such information is part of the conversation's metadata.
“Metadata is us,” Schneier said, noting that the government claiming they are collecting “only” metadata downplays just how much insights can be gleaned from the information.
Metadata is far easier to store, search, and analyze, than actual content, and actually has far more value to an intelligence agency, Schneier said. Law enforcement tracking a terror network don't necessarily need the actual conversations, but rather information about who is talking to who. “Metadata is fundamentally surveillance data,” he said.
Data is currency, and consumers are willing to hand over their information in exchange for “free or convenience,” Schneier said. Companies such as Facebook and Google want the data so that they can sell more stuff. Users hand it over to play games, to get email, or some other benefit. “I like to think of this as a feudal model. At a most fundamental model, we are tenant farming for companies like Google. We are on their land producing data,” he said.
By handing the data over, users have an expectation of trust that Google, Facebook, and other data brokers will do the right thing with the personal data. However, this becomes a power play when governments get involved. Governments don't need to collect the data themselves when corporations are already doing it.
“The NSA woke up and said ‘Corporations are spying on the Internet, let’s get ourselves a copy,’” Schneier said. Most NSA surveillance “piggybacks” what the companies are already doing, he said.
The government didn't tell anyone they have to carry around a tracking device, but people now carry mobile devices. The government doesn't require users to notify any agency about their relationships. Users will tell Facebook soon enough, Schneier noted. “Fundamentally, we have reached the golden age of surveillance because we are all being surveilled ubiquitously.”
Lowering the cost of technical surveillance also transforms the actual act of surveillance itself, Schneier said. It's no longer just “follow the car,” but rather, “tell me everywhere the car has been for the past month,” Schneier noted. Surveilling a car in the past may have required five people, but technology means agents can track 3,000 cars without using any additional agents. Technology has changed the extents of what surveillance can do, and that can be worrisome.
When the government has power, there has to be a way to ensure responsibility, Schneier said.
The Industrial Revolution in the 19th Century largely ignored consequences for widespread adoption and rapid innovation such as pollution. Fast forward to the present day, and privacy and security are being ignored in a similar fashion in favor of rapid online innovation in the digital age, Schneier said.
“I think this is the issue by which we will be judged when our grandchildren read the history of the early days of the Internet,” Schneier said.
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.
Subscribe to SecurityWeek
Security Community
Stay Intouch
About SecurityWeek