Based upon recent ESG research data, it is easy to conclude the big data security analytics is inevitable. In fact, large public sector and commercial organizations are already experimenting with technologies like Hadoop, Splunk, and PacketPig to bring the security and big data analytics world together.
While big data security analytics will roll out faster than most people think, there are bound to be some speed bumps along the way. In fact, some of the more annoying short-term issues will be around basic operational tasks like collecting, normalizing, and sharing security data in a multitude of formats, schemas, and syntaxes.
These issues reared their ugly head in a recent ESG research project:
• 54% of large organizations have “significant difficulties” or “some difficulties” with security data normalization
• 54% of large organizations have “significant difficulties” or “some difficulties” with security data capture
• 52% of large organizations have “significant difficulties” or “some difficulties” with security data sharing
How can the industry address these problems? By providing standard data formats and APIs that eliminate data integration limitations and customization requirements.
I’ve blogged about industry standards before. For example, MITRE has done a great job with Common Vulnerabilities and Exposures (CVEs) but support for its many other security standards is fairly limited. It seems like a no-brainer to me that leading security vendors like Check Point, Cisco, HP, IBM, McAfee, RSA, Symantec, and Trend Micro should get more involved.
Aside from the MITRE standards, here’s another suggestion: In order to accelerate big data security analytics effectiveness and efficiency, the security industry should get behind the Interface for Metadata Access Points (IF-MAP) standard introduced by the Trusted Network Connect (TNC) sub-group of the Trusted Computing Group (TCG) in 2008. Juniper is a big IF-MAP supporter as is Enterasys and Infoblox.
Why is IF-MAP a good fit for big data security analytics? In simple terms, IF-MAP allows devices to share information in a standard well-defined way. What’s more, IF-MAP provides this data sharing for a broad range of use cases including physical security, cloud computing, grid computing, etc. If nothing else, IF-MAP makes a lot of sense in the era of BYOD and mobile computing.
IF-MAP isn’t a big data security analytics requirement but it could go a long way toward making data collection, normalization, and sharing a bit easier. This is especially important because there aren’t enough trained security professionals available to labor through this with manual processes and custom coding. Furthermore, IF-MAP isn’t just about security analytics; it’s about security policy enforcement automation. Once again this could help reduce time, labor, and money – and make us all more secure.