Big data and its security implications

There has been a significant amount of talk about big data lately in the media particularly at the RSA security conference. However, many people are still unclear as to what constitutes big data and furthermore what its implications are to us as security professionals. Within this brief article, I shall try and address both these points.

First let’s look at what big data is – according to EMC / IDC’s definition it is a new generation of technologies and architectures, designed to economically extract value from very large volumes of a wide variety of data, by enabling high velocity capture, discovery, and/or analysis. IBM says that “three characteristics define big data” namely Volume (Terabytes -> Zettabytes), Variety (Structured -> Semi-structured -> Unstructured) and Velocity (Batch -> Streaming Data).

So having looked at what constitutes big data, let’s look at its implications to us as security professionals. The first is its ability to aid in the timely detection of security events. With dissolving security boundaries and more sophisticated adversaries, the security threat is ever increasing. The increased threat landscape now means that we can no longer just rely on security information from traditional sources such as network logs, SIEM system alerts and application access controls. It is becoming increasingly necessary to couple this information with other sources to get a true and timelier picture of security threats. These sources of information should include both external sources such as social media sites, threat intelligence feeds, website clickstreams as well as contextual information about the business and its assets itself.

By incorporating this big data into security programs, organisations gain richer context for assessing risk and learning what’s ‘normal’ for a particular user, group, business process to computing environment. As organisations develop fuller, more nuanced profiles of both systems and users, security teams can enhance their ability to spot aberrant activity or behaviours which often indicate issues. This big data analysis promises to give companies a full picture of who’s coming into their network, who’s talking to whom, and spot anomalies or atypical user behaviour while it is still actionable.

Big data analytics is likely to have an impact on the following key security areas:

Security management – the convergence of SIEM, network monitoring capabilities and external threat intelligence will create a security analytics platform capable of massive and diverse real-time data collection and threat analysis. This convergence creates a unified security management system that can assimilate all information that could possibly inform security and allow them to detect threats in near real-time and respond to them before they do too much damage.
Identity and access management (IAM) – next generation tools will enable risk based, adaptive identity controls that continuously evaluate and adjust the level of protection and access based on asset criticality and risk. By enabling situation-aware IAM, such tools provide continuous risk assessment of user activity, especially when accessing sensitive resources, even after initial authentication. Profiles are based on historical behaviour formulating what normal behaviour looks likes and altering to any deviations. As such, provisioning of access is done on demand and enforcement on the fly based on accepted and expected user behaviours and system enforced rules.
Fraud prevention – this is possibly the most current example of big data analysis at the moment. This involves analysing massive amounts behavioural data and other diverse indicators to distinguish between malicious and legitimate business activities. Activities not following the normal pattern are then highlighted for follow up and possibly stopped from progressing. The credit card fraud prevention system Falcon is a great example of this.
Governance, risk and compliance (GRC) – as the scope for GRC programs grow, the amount of data that such systems will need to handle will also grow exponentially. GRC platforms will need to analyse this Big Data to provide real time access to the entirety of information relevant to understanding business risks and to prioritising security activities. These programs will help identify the assets, their criticality and threats and allow organisations to take actions quicker and in a more informed manner to mitigate these treats.

In order to build a Big Data security program, the following steps are necessary:

Set a holistic security strategy – prepare a security program that addresses your organisation’s unique security risks, threats and requirements. Make big data analytics a part of the strategy.
Establish a shared data architecture for security information – since big data analytics requires information to be collected from various sources in many different formats, a single architecture that allows all information to be captured, indexed, normalised and analysed, and shared is required.
Migrate from point products to a unified security architecture – developing a unified security analytics framework is required and care should be taken to ensure security products can be integrated within this framework. If a product does not easily allow you to do this, consideration may have to be given to discontinue using the product as it may end up becoming a blind spot.
Look for open and scalable big data security tools – use tools and technologies that favour agile analytics based approaches as opposed to static tools based on threat signatures or network boundaries. The Big Data ready tools should offer the architectural flexibility to change as the business, IT or threat landscape changes.
Strengthen the SoC’s data analytics skills – ensure that SoC staff have the capability to effectively develop analytical models that detect, and even prevent illicit activities.
Leverage external threat intelligence – augment internal security analytics programs with external threat intelligence activities to provide a fuller picture of the threat landscape and enhance the ability to detect and prevent attacks.

I have spent the bulk of this article talking about the application of big data analytics to the cyber security field. Let’s for forget that organisations are increasing using big data analytics techniques to analyse business data to find previously unseen trends. These trends then allow businesses to make more informed decisions and choices, for example, by targeting existing customers with new products based on usage patterns revealed by the consumption of existing products.

Just as any business data requires protections, so does big data. The complexity that arises here is the volume and variety of the data itself. Since a lot of this data likely to be unstructured and stored in various locations, pin pointing them, classifying them and protecting them becomes difficult. In this instance, the best approach is to go back to first principles and protect any business related data with well-established internal security standards. Without this in place, the input data and the resulting conclusions can be severely skewed or incorrect, or worse will fall into the wrong hand. It is also worthy of note that this data protection needs to be applied to security data as well otherwise you end up not being able to detect incidents or be able to use the data in a court of law for prosecution purposes.

Big data presents new and exciting opportunities for businesses both in the cyber security and business analytics spaces. Its use and protection is paramount to ensure organisations get the best out of big data analytics.

Reference: Big Data Fuels Intelligence-Driven Security, RSA Security Brief, January 2013.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitybig data

More about EMC CorporationIBM AustraliaIDC AustraliaRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ashwin Pal

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts