I don’t think anyone is surprised that Big Data was a popular term at the RSA conference this year. As is often the case with information security, there was as much derision as promotion.
Ellen Messmer provided a good summary of the panel discussion on Big Data Security, or what should really be called ‘Big Security Data’ because ‘Big Data Security’ is really a separate problem (sometimes marketing is awkward). Here’s my summary of the summary:
This is the challenge with a marketing campaign built around a problem, not a solution. Large organizations have security data already. That’s what these CISOs basically explained. Trying to sell them on “Big Data” doesn’t make any sense. It’s like a doctor trying to sell symptoms instead of treatment.
I’m being unfair, I know. There are engineers and product managers behind the scenes here who actually understand that Big Data is the problem and are building better tools to actually deal with it, but the market ends up with the big data message.
But there’s a bigger problem here that isn’t about the marketing messages, especially in security where there’s already plenty of data. But that despite that conclusion, it wasn’t the biggest flaw in the Big (Security) Data strategy that we saw prominently displayed at RSA this year.
The bigger problem is that the underlying assertions of these Big (Security) Data strategies, even when you peel away the marketing, are flawed. Let me offer a few illustrations of the prevailing strategy.
“According to HP, ‘this combination automatically recognizes the context, concepts, sentiments and usage patterns related to how users interact with all forms of data,’ and gives businesses a new way to translate raw security data into more actionable intelligence by helping security managers better track individual users’ behavior patterns and spot signs of unusual activity. “
“IBM Security Intelligence with Big Data provides a comprehensive approach that allows security analysts to extend their analysis well beyond typical security data and to hunt for malicious cyber-activity, the company said.”
“Designed to integrate HP ArcSight 6.0c with Apache Hadoop, the technology is aimed at speeding the process of collecting and analyzing big data stores to provide a more complete view into security events.”
“Autonomy can analyze data from the Internet for sentiment and context and send it to ArcSight for correlation with security log information to predict attacks.”
“A big theme at the RSA Conference this year is a concept known as Big Data Security — the idea that massive amounts of data related to both network security and of business context should be stockpiled to be analyzed to pinpoint malware, rogue insiders and stealthy attacks aimed at stealing sensitive data. “
Spot signs of unusual activity, hunt for malicious cyber-activity, complete view of security events, predict attacks, rogue insiders; all of this language around intelligence, analytics and big big data is basically about building a better IDS. It’s worth pointing out that it’s also about building a much much more expensive IDS. It’s easy to get confused by the sophistication of the attacks, and the multitude of components involved in the process, but at its core, we’re talking about a system to detect intrusions.
At this point, someone out there is likely going to argue that prevention comes with active defense technologies. All this intelligence can be used to virtually patch servers and actively block attackers; this is proactive security, they’ll say. In a sense, that’s actually true. It’s true in the same way that a bulletproof vest is proactive. The analogy and reality both fail in the same way, however.
While true in isolation (one bullet, one vest), the consistent mutual escalation of capabilities means that we’re continuously engaged in a reactive arms race of better attacks and better blocking. This is, in itself, reactive, but it also drives us back to a focus on more sophisticated detection to enable and maintain the ‘detect and block’ strategy. As an industry, it is a fundamentally reaction oriented approach.
If you’re still not sure, ask yourself these questions:
- Why is it that after more than a decade of improved detection technologies that the most effective method of securing a device is still to just unplug it?
- Why does every single organization still have the same general set of information security problems?
- Why is the information security industry growing at such a rapid rate (when it doesn’t actually contribute revenue)?
I’ll propose an answer in part 3…
Title image courtesy of ShutterStock
Categories: Incident Detection