Zions Bancorporation has set up a massive repository for proactively analyzing a combination of real-time security and business data in order to identify phishing attacks, prevent fraud and ward off stealthy hacker incursions known as advanced persistent threats.
"This system allows you to start leveraging disparate types of events around the organization, such as patterns of behavior in your network," says Preston Wood, chief security officer at Zions, in discussing how the Salt Lake City bank-holding company, which has over $51 billion in assets, has set up its data-mining analytics for security purposes.
MORE ON SECURITY: Security pros come clean at summit on advanced persistent threats
The foundational tool for Zions, is the Zettaset Security Data Warehouse, based on open-source Hadoop for data-intensive distributed applications. Wood says for him, the approach a huge change because it relies on making security decisions based on mining business intelligence and combining it with security-related event data from security devices.
Today, security analysis more typically relies on what's known as security information and event management (SIEM) tools which can aggregate security and other technical information for a birds-eve view of network activity or detect possible unauthorized actions. Wood says that's fine in and of itself, but it's now possible to go further through correlation of business activities, based on feeds from other sources too.
"It doesn't replace a traditional SIEM, it augments it," says Wood about how the Security Data Warehouse has been put into use at Zions.
A SIEM may have trouble "dealing with massive amounts of historical data," says Wood, but by using the Hadoop framework with core components that can handle "terabytes, even petabytes of information," it's possible to achieve better analysis by combining business and security data. "A SIEM becomes one main feed into the Security Data Warehouse. Improved historical analysis is also resulting," he adds.
Wood says Zions now has "analysts assigned with our security division making decisions off that data." It's becoming a way to do predictive analytics and spot anomalies. It's also increasingly playing a role in understanding customer transactions and behavior for security purposes.
Wood says he's also convinced the Security Data Warehouse approach is making it more possible to detect phishing attempts by analyzing email and other events, "and that allows you to respond more quickly than in the past."