In a recent ESG research survey (note: I am an employee of ESG), security professionals working at enterprise organizations (i.e. more than 1,000 employees) were asked the following question: How do you believe that your organization will change its security technology strategy decisions in any of the following ways over the next 24 months in order to improve its security management?
- 44% said that they planned to “design and build a more integrated security architecture.” In other words, they want central configuration management, policy management, and reporting for different security technologies.
- 39% said that they planned to “include new data sources for security intelligence.” This means that they plan to collect more internal data from networks, applications, and security devices and also consume more external threat intelligence from existing security vendors or innovative newcomers like BitSight, Norse, and Vorstack.
These are worthwhile plans, but there is still a slight problem with the first initiative – building an integrated enterprise security architecture could take years as large organizations replace existing products as they are fully amortized and integrate them together through some common APIs and middleware. In the meantime, they will have to manage enterprise security through an army of point tools and manual processes.
Rather than languish for a few more years, I have an alternative suggestion – make big data security analytics the tip of the enterprise security integration spear. After all, the whole “big data” part of the equation is about collecting data feeds from everything – networks, endpoints, applications, cloud service providers, IoT components, physical security systems, external threat intelligence, etc.
Once established, big data security analytics can span the network with eyes and ears on everything. As the analytics evolve, CISOs should have accurate and timely intelligence about what’s connected to the network (i.e. from vendors like Bradford Networks, Cisco, ForeScout, Great Bay Software, Juniper, etc.), the profile of these network nodes, and the security state of all devices. This data can be used to feed risk management dashboards in real time to enable data-driven security controls adjustments up and down the technology stack.
As for incident detection/response, big data security analytics is designed to analyze and correlate packet capture, NetFlow, endpoint forensic data, logs, and even SNMP traps in a cybersecurity context. These systems will combine machine-learning algorithms, statistics, and visual analytics to get a picture of anomalous/suspicious activities across the whole IT enchilada.
To be clear, I’m not suggesting that big data security analytics is a panacea. Enterprise organizations have a lot of learning and cost ahead of them, while security analytics vendors have to develop highly scalable and intelligent security analytics tools that can be used effectively by security professionals, not MIT PhDs.
Yes, it will take a while for big data security analytics to play out, but given the amount of innovation going on in this area (i.e. from vendors like Cybereason, Fortscale, Hexis Cyber Solutions, ISC8, IBM, LogRhythm, Narus, RSA, Splunk, 21CT, etc.), usable enterprise solutions will come faster than expected. Additionally, I have no doubt that enterprises will collect, process, and store massive amounts of security data from every conceivable IT nook and cranny over the next few years – all to provide security analysts with a treasure trove of real-time and historical data. Given this, it makes sense to integrate security data, improve incident detection/response and security operations, and then move on to integrating the myriad of security management consoles, middleware, and enforcement points afterward.