Cisco Subnet An independent Cisco community View more

The Keys to Big Data Security Analytics Solutions: Algorithms, Visualization, Context, and Automation (AVCA)

Vendors must focus in these areas to help enterprise organizations with security efficacy and operational efficiency

ESG research indicates that 44% of organizations believe that their current level of security data collection and analysis could be classified as “big data,” while another 44% believe that their security data collection and analysis will be classified as “big data” within the next two years (note: In this case, big data security analytics is defined as, “security data sets that grow so large that they become awkward to work with using on-hand security analytics tools”). So enterprises will likely move to some type of big data security analytics product or solution over the next few years. That said, many CISOs I speak with remain confused about this burgeoning category and need help cutting through the hype. I recently published a big data security analytics FAQ as part of my blog to try and assist in this area. This provided basic definitions about the category but what about the products themselves? Of course all big data security analytics must offer massive scale and flexible query capabilities but what will set one solution apart from all others? In keeping with our industry’s love of acronyms, I suggest that security professionals think in terms of AVCA (Algorithms, Visualization, Context, and Automation) as follows: • Algorithms: With big data security analytics, algorithms represent the difference between manual and automated analytics. With algorithms, your analysts are supported by intelligent technology; without them they will be forced to plough through more and more data on their own. Big data security analytics algorithms should blend data, processing power, and custom rules for strong accuracy. Examples include machine learning (i.e. 21CT, LogRhythm, SilverTail, etc.) and behavior anomaly detection (i.e. Click Security, Lancope, Netskope, Solera Networks, etc.). Many organizations also use Splunk as a foundation for their own custom algorithms. • Visualization. Data visualization for security remains extremely elementary, dominated by pie charts, graphs, and Excel spreadsheet pivot tables. Visualization technology is an emerging area today but there is an increasing amount of research and development happening, primarily in places like U.S. national labs and academic institutions. Additionally, the annual VizSec conference in Atlanta Georgia (www.vizsec.org) is dedicated to the study and proliferation of data visualization for cybersecurity. Over time, CISOs should expect big changes in this area, with new types of visualization hardware, tablet-like data manipulation, and 3-D graphics for pattern matching, risk scoring analysis, and data pivoting. Vendors like LexisNexis, Hexis Cyber Solutions and Narus come to mind here. • Context. When malware targets an unpatched system it’s an emergency. Alternatively, when malware is headed for a patched system, the situation isn’t very critical at all. Over time, big data security analytics will blend threat detection/forensics with continuous monitoring to calculate risk scores associated with cyber-attacks. McAfee will push this agenda by integrating McAfee Security Manager (i.e. Nitro) with ePO. RSA will do the same by bridging its big data security analytics and Archer. HP will also follow this path. • Automation. This one may take a while as it is akin to the transition from IDS to IPS and security professionals are always concerned about false positives. Nevertheless, security automation is a growing requirement as the security staff can no longer keep up. Cisco will use its network infrastructure, SDN, and cloud-based big data security intelligence for network security automation. Other network security specialists like Check Point and Palo Alto Networks will also pursue this course. IBM will also be aggressive here, integrating its network security portfolio (i.e. ISS) and Trusteer (i.e. endpoint security) with QRadar, IBM Security Intelligence with Big Data, and X-force security intelligence. Security professionals researching and evaluating big data security analytics products should make sure to make AVCA part of their requirements. As for the supply side, AVCA may be a ticket to success.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.