Applying Big Data approaches to information security a challenge

Data integration and correlation a hard thing to do, say security experts at RSA Conference

SAN FRANCISCO: Applying Big Data approaches to information security can help enterprises build better situational awareness capabilities, but implementation could prove to be a major challenge, security experts said at the RSA Conference 2013 being held here this week.

Companies such as RSA and Symantec are using the conference to spell out their strategies of using new data aggregation, correlation and analytics approaches to help enterprise sift through huge sets of structured and unstructured data for threat indicators. The idea is that such data aggregation and correlation will help companies spot trends and threats that conventional signature-based security tools are unable to detect.

Unlike conventional security approaches that are focused largely on blocking attacks, the new approaches emphasize breach detection and response almost as much as breach prevention. The goal is to help companies block the threats they can while helping them detect and respond to the one they miss.

In an inaugural keynote address, RSA chief Art Coviello said that the need for big data approaches was being driven by the increasing number of targeted and persistent attacks against U.S. businesses and government organizations. The sheer volume and variety of data being collected and mined by enterprises these days also is driving the need for new approaches to protect that data from adversaries, he said.

Instead of deploying point products and perimeter defenses, companies need to adopt a security model that is based on actual threats and threat intelligence, Coviello said.

U.S. organizations are caught up in an increasingly asymmetric war against cyber enemies that are better armed, better prepared and better organized than they are, said Francis deSouza, president of products and services at Symantec.

"Attackers have to be right just once, we have to be right every time," deSouza said in a keynote address at the conference. So rather than focusing purely on blocking all threats, companies should be using big data analytics approaches to detect intrusions and mitigate them, he said.

In theory at least, the idea of bolstering security by looking at and analyzing vast data sets is a good one, said several IT managers and security experts at the RSA show.

But getting there could take some doing, said Christopher Pierson, chief security and compliance officer at LSQ Holdings, a financial services company. "I think that the problem of having insight into log files and all your appliances has been pervasive," Pierson said.

Currently available security incident and event management (SIEM) tools already allow companies to aggregate huge amounts of log data from multiple security devices and bring it all to one system, he said. But the real problem with SIEMS is the ability to analyze the data and correlate that data so that precursor hacking evidence or actual intrusions can be detected," and acted upon.

It's one thing to aggregate data. It's another thing entirely to make sense of it, he said. In the end the key to situational awareness are the correlation rules and processes that a company has in place for analyzing the data and acting upon it in an efficient manner.

"The big data challenge is to derive actionable information," said Andrew Wild, chief security officer at Qualys. The issue that many enterprises face is not so much a lack of data but rather how to use it in a manner that is useful from a security perspective, he said.

"The network is highly aware, the routers are aware the switches are aware. They know the packets that are flowing through the network." The problem is that all the data exists in different repositories that are not integrated at all, he said.

The tools individually are unable to provide much information, so the Big Data challenge is to find a way to aggregate the data and extract useful information from it. "Big Data is a big challenge when it comes to security," Jerry Sto. Tomas, director of global information security at Allergan, said in a panel discussion at the conference.

A lot of the log data that companies collect exist in silos, he said. And often the data that is college is "garbage data" from a security standpoint, Tomas said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about big data in Computerworld's Big Data Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssymantecsecuritycyberwarfaredata miningsoftwarebig data

More about Andrew Corporation (Australia)QualysRSASymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place