Analyze this, and that: CSOs latch on to better data tools

CSOs were swimming in data way before it got big across the enterprise. Firewalls, intrusion detection systems and other security programs spit out scads of data. But the Big Data era is giving CSOs better tools to use.

[4 ways metrics can improve security awareness programs]

"Security is all about the metrics, too, and analytics will give you that. You're logging it and can quantify it," says Peter Miller, CSO at Orange County, Florida, where he's been since 2000.

Miller says analytics is not just important for cyber security. Orange County has 3,000 surveillance cameras, and "we knew we couldn't have 3000 people looking at those cameras."

Analytics, some written in-house (he has four analytics specialists in his physical and cyber security staffs), run on a Next Level Security Systems appliance. They help the county parse the data coming in from those cameras.

Orange County recently installed a $40 million radio system, and some of the radios are in very remote parts of the county. Analytics help it know if a deer has tripped the camera, someone climbing a fence, or someone trying to siphon power from the towers.

The county has also adopted TextGuard, to comply with Florida's sunshine laws, allowing it to capture track texts sent by public officials and employees. That tool also allows it to analyze whether they are texting passwords or other sensitive information.

"I can't imagine doing my job without analytics," Miller says.

Miller isn't alone.

"Big data is changing the CISO's job," says Jon Oltsik, a security analyst at Enterprise Strategy Group. Oltsik notes that "big data is a marketing term. It means you have more data you have to analyze than you know how to analyze, and that's true in big companies today for security." There's a lot more security data out there. A recent ESG report, The Emerging Intersection Between Big Data and Security Analytics, found that 86 percent of respondents said they were collecting more security data than they had in 2010. Some 44 percent said they had enough security data to be considered Big Data today, while another 44 percent said that would be true within two years.

[Big Data without good analytics can lead to bad decisions]

That report was based on a survey of 257 security-oriented IT people at companies with 1,000 or more employees.

Ken Pfeil, CSO at a large mutual fund in Boston, says one of the impacts is, "you're still dealing with false positives, but now you're ignoring more, because you're getting a lot more, but they're not necessarily more useful."

In fact, 35 percent of CISOs say they are getting more false positives, according to the ESG survey.

Oltsik says traditional tools available to CSOs to analyze their data won't be effective for big data analytics. Now, new ones are becoming available, ranging from Hadoop-based analysis programs to proprietary tools to beefed up components in familiar security products.

These tools are making it possible to do trend analysis over months worth of data.

That kind of historical analysis is opening a new front in analytics for CSOs, says John Pescatore, director of emerging security trends at SANS Institute. Pescatore says CISOs have long used security information and event management (SIEM) tools to collect data. It's been good for creating reports, but weak for looking backwards in time and doing something predictive.

"You want to be able to say, 'conditions have just changed and we better take action or we are likely to be penetrated," Pescatore says.

Pfeil says there are more subtle concerns. He says it is also important to find tools that can find anomalies in traffic that looks benign. "I think most companies are compromised and they don't know it," Pfeil says. So traffic that goes to a legitimate company's compromised Web site could then be redirected to an illegitimate source, what Pfeil called a watering hole attack. Normal analytics tools can't find that, so he's started using Bromium, which lets him do attack visualization analysis.

It takes unique skills to do analytics well. Data scientists, business subject specialists and programmers may need to work together to create effective analytics. That means most analytics work gets done at what Oltsik calls the tip of the enterprise pyramid, "the biggest of the big companies." Even there, it can be hard to get budget for preventive applications, says Pfeil.

[Big goals for Big Data]

Pescatore says one tack for CISOs is to find security vendors with large, active online communities. That can give free, practical advice on how to work through the complicated process of analytics. Pescatore had positive things to say about companies and products like Tenable, Splunk. EiQ Networks and IBM's Q1 Labs' QRadar.

Third parties are popular when it comes to security analytics. In the ESG survey, 55 percent of companies said they rely heavily or somewhat heavily on third parties to help with their analytics.

Security vendors in general are trying to beef up their analytics. Trustwave, which does PCI compliance, in June launched SIEM Enterprise in response to the increasing kinds of data coming from mobile platforms and other new devices. Steve Kelley, Trustwave's vice president of marketing and product management, said Trustwave thinks it's become important for it to offer its own analytics, rather than expecting its customers to run analytics in general business intelligence tools.

Oltsik says analytics is complicated, but CISOs can take some small steps to get into it.

He recommends first looking at the data they already collect, what they're already doing analytics on, and then make a list of what they think they should be doing analytics on.

Then, to get a first step towards the new style of analytics, start working with an open source tool called PacketPig.

It can also be effective to work with business units to identify risks and share the costs of doing analytics, says Pfeil. Just don't expect that analytics will be simple, he warns.

"Everyone's looking for the one magic dashboard," says Pfeil. "You won't find it."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOIBM AustraliaOrangeQ1 LabsSANS InstituteSecurity SystemsSplunkTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Fitzgerald

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts