Most enterprises have enough security technology in place to protect their businesses. They also have plenty of data from SIEMS and logs and other devices that tell them what's going on in their environments. What they need now is an automated method to use the vast amounts of event data.
I recently had the opportunity to talk to John Pescatore, the director of emerging security trends at the SANS Institute. Prior to joining SANS, he was the lead security analyst at Gartner for 13 years. In all, Pescatore has a 35-year career in the IT security space.
A guy like Pescatore has seen and done a lot in his career, so I was interested to talk to him about where the security industry is headed and what "the next big thing" will be. According to Pescatore, we should all get ready for security analytics.
At the RSA conference this past February "big data" was being hyped as the solution to problems such as advanced persistent threats (APTs). Harking back to his Gartner days, Pescatore says that big data is still in the hype phase: Everyone's talking about it but few people have figured out how to harness it to really improve IT security.
[ BACKGROUND: Defining Big Data Security Analytics ]
It's not for lack of event data. Security information and event management (SIEM) technology has been collecting lots of information from practically every kind of device on our networks. SIEMs are good at producing reports but they haven't excelled at helping us deal with new kinds of threats and telling us how to use our existing security controls more effectively to protect the business.
Pescatore says that security analytics falls into that space between the tons of information collected by the SIEMs and the mantra that "big data solves everything." In other words, how do we take the patterns of security issues or vulnerabilities and tell the existing security tools -- the firewalls, intrusion prevention systems, etc. -- what types of things to look for that are indicative of security threats that are out there? And, how do we implement the policies for those devices to take action to protect the business? Pescatore describes security analytics in three parts.
"Security analytics is that piece where, if we have smart analysts, they could pore over this data. If we have thousands of them, then they'd be looking for indicators of compromise, or they'd look for the ways that attackers start to do things that later lead to threats," says Pescatore. "We need to capture that knowledge in some automated way to feed the various tools that can plow through large amounts of data really quickly and that can pull events from servers and firewalls and IPS really quickly."
"The second part of analytics is that it has to feed the security controls in a timely fashion to help protect the business," he continues. "We need specific recommendations of what to do when we are vulnerable to an attack and that attack has started. Things like implementing a specific rule on the intrusion prevention system, turning on denial of service prevention, closing ports on a firewall, blocking access to certain apps, and so on."
Pescatore says the third piece of security analytics is to take the "lessons learned" part or the corrective action part and ask, "How did we get into this vulnerable state, what's causing this?" It could be this piece of buggy software or attacks coming from countries that we never do business with.
"Tying those three things together -- the security expertise, the ability to push settings out to the security controls, and the ability to learn from it and not get into the same problem -- is what I call security analytics," says Pescatore.
The SIEM vendors are heading in this direction, but today it still takes a security analyst having multiple tools at his disposal to enable him to do all these things. Pescatore predicts that managed service providers will be the first ones to introduce true security analytics. "Because MSPs work with hundreds of customers, they have lots of security threat data coming in, and they have lots of logs and firewall and IPS events coming in. They've built up these security analytics big data and reporting tools and then they deliver this as a service to their customers," Pescatore says. He believes that off-the-shelf products that enterprises can deploy on their own will come a few years after the managed services.
In his role at the SANS Institute, Pescatore says people ask him how to put together a security analytics approach to protecting their businesses. He's in the process of pulling together a conference for practitioners to give them the basic knowledge they need to help them get started. It's tentatively scheduled for January 2014.
"The reality today is that most enterprises have a lot of security controls that they have deployed -- firewalls, vulnerability scanners, IPS, and so on," says Pescatore. "They don't need more tools. They need the knowledge of how to set those tools to combat the specific kinds of threats coming at them today, tomorrow and next year. I believe that security analytics will help get us there."
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.