Big Data Indexing: Addressing Business Risks Near You
Over the last 10 years, advanced hackers have moved from attacking government agencies to attacking businesses. Not the business specifically, but the people that run the business, through exploiting their trust. While employee awareness is the first step to preclude phishing attacks, it still only takes one successful attack to get a foothold inside the network.
Unwittingly, employees are being turned into ‘data mules’ for advanced threat actors. They, not technology, are the weak point in our cyber defense. Focusing on their activities in log data, as they interact with computer systems and applications to gain an understanding of what credentialed activity is normal and what is not, can help detect attack patterns as indicators of compromise.
This requires a real-time big data approach to security. Additionally, a statistical analysis of the data is needed to detect advanced threats that can siphon off data from any company and live inside the organization for years at a time. Catching these attackers and protecting our enterprise will require everyone to do a much better job base-lining what’s normal and watching for outliers
Below are five reasons why big data indexing systems will be embraced by security teams and the enterprise to better address business risks.
Confidentiality Integrity and Availability is a holistic view of business security and risk mitigation growing beyond traditional IT data sources.
For many businesses, availability is critical. By availability I mean customer facing services, the ability to sell goods, or service a particular constituency. These are the things that will cause the business repetition issues or financial hardship. Non-traditional security data sources such as call data records, RFID, GPS data and industrial control system data will be added to the security mix for a more complete view of enterprise security.
Security is being redefined: Monitoring & mitigating threats that compromise business reputation, service delivery, confidential data or result in loss of intellectual property.
This definition will begin to take hold as more and more data will be given over to the security team for review. This is also an acknowledgment of the fact that the threats that cost the business the most in time, effort and money will originate from within the business. In other words, the mindset of the attacker already inside the network will become common place.
Security folks will want and need more data – not less – for accurate root cause analysis
Automated log analysis by SIEMs and their limitations as to the kinds of data they collect cause root-cause analysis to be wrong as much as 90 percent of the time. This is most often because of a lack of contextual data for the attack itself. More visibility means more accurate decision making.
Complexity of threats will continue to grow and cross from IT to less traditional data / devices / sources.
Attacks from a modem secured with a default password in a power sub-station could be used to attack systems on a business LAN. Cyber attacks can have kinetic consequences due to attacks against our infrastructure. Threats, root-cause analysis, and forensics will need to become a center of excellence for all of the business functions.
A single investigation will include data from all parts of the business – beyond IT data
The search for evidence of malicious insiders or fraud will need to include data from all parts of the business, which will require a consolidated effort. Data gathering from CRM and ERP systems, call data records, and in some cases RFID and GPS data may be necessary to find and ultimately prosecute malicious insiders. A single time series index of businesses data will speed up these investigations.
Any and all data can be security relevant. We have to be able to use all the data at our disposal to make judgements about what’s normal and what’s not in the context of human behavior and what’s considered normal for our businesses.
About the Author:
Mark Seward is currently Senior Director, Security and Compliance Marketing at Splunk. He has more than 10 years of experience in the IT security management profession as a security practitioner and product manager with experience in log management and vulnerability management including extensive security work for the US Treasury Department. Mark has a Master of Science in Information Technology and a Federal CIO certification from the University of Maryland.