IBM’s Analytics Solution Center held our first Analytics Security 360° (AS 360°) event of a series titled “Leveraging Security Analytics to Improve Your Situational Awareness” on September 26th in Washington DC. The event focused on the existing and new security threats attacking government agencies; the complexities and challenges facing government agencies to defend against these security threats; and how government security professionals can use real-time security analysis with asymmetric Big Data analytics to improve situational awareness at the federal mission level and how they can harness the power of Big Data through advanced security, predictive, and entity analytics as a preemptive defense from external and internal threats.
Current State of the Enterprise Security Landscape
The keynote speaker, Jon Altsik, a Senior Principal Analyst with the Enterprise Strategy Group (ESG), discussed from an Analysts perspective the current state of Enterprise Security, the role of Big Data Security Analytics, and industry trends in this arena. Jon explained that the security landscape is getting more dangerous due to the different types of security threats government face i.e. advance persistent threats (APT), insider threats, fraud, hacktivism, and infection detection. The ESG data showed:
- 67% of security professionals believe that the malware threat landscape is “significantly” or “somewhat” worse in 2013 compared to 2011
- 72% of security professionals believe that the average organization is “extremely vulnerable” or “vulnerable” to a security breach.
- 49% of enterprises have suffered a successful Malware attack within the last 2 years.
Also, the present state of IT complexity and security skills shortage leads to limited situational awareness, perpetual fire fighting, and security technology complexity challenges. These factors leave government organizations at high risk and with high operating costs.
Cybersecurity Skills Shortage
The ESC survey data shows organiziations will be facing a big shortage and high skill level in cybersecurity resources needed to implement their security solutions to protect themselves against external and internal threats. This will require organization to develop more integrated and automated security solutions. See figure 1 – Areas of Acute Cybersecurity Skills Shortages.
- 25% of enterprise organizations have a “problematic shortage” of cybersecurity skills
- 36% of enterprise organizations plan to add cybersecurity headcount in 2013
- 83% of enterprise organizations say that it is “extremely difficult” or “somewhat difficult” to recruit/hire cybersecurity professionals
Currently, organizations are spending too much of their budget on costly point-to-point cybersecurity solutions that require high labor costs due to employees reacting to false positives and not enough time with proactive security management, IT complexity, and lack of the appropriate security skills within IT to implement the solutions. See figure 2 – Security Management Challenges and Figure 3 – Increase Security IT Complexity.
Figure 2 – Security Management Challenges
Figure 3 – Increase Security IT Complexity
The Need For Big Data Security Analytics
Security data is used to analyze activities and metrics associated with risk management, incident detection/response, regulatory compliance, and investigations/forensics. Many of these investigations now include analysis of nontraditional data sources such as social media, customer browsing history, and business transactions. To support business requirements, manage risk, and respond to security events, CISOs collect, retain, and analyze a larger repository of data than they did in the past. Security data growth and utilization will only increase in the future.
Large organizations where tactical security analytics and compliance-centric legacy SIEM tools can no longer keep up with the growing volume of security data. Organizations need to develop a Big Data security analytics platform to collect, analyze, and identify insight from security data sets so large and complex that is too difficult to process using on-hand database management tools or traditional security data processing applications. Big Data security analytics solutions consist of two main areas of functionality needed to defend government organizations from external and internal threats:
1. Real-time Big Data Security Analytics
These solutions may be quite familiar to CISOs because they are basic evolutionary iterations of existing SIEM, log management, network flow analysis, and IP packet capture tools. This new breed of real-time big data security analytics solutions is distinguished from legacy SIEM platforms by the solutions’ scalability, analytics intelligence, and performance characteristics.
2. Asymmetric Big Data Security Analytics
Asymmetric big data security analytics solutions are designed to supplement real-time big data security analytics by providing high-performance platforms for the analysis of massive volumes of structured and unstructured data. In this way, asymmetric big data security analytics can look at data across long periods of time to establish baseline behavior and detect anomalies. Asymmetric big data security analytics solutions are also designed with the assumption that analysts may have no idea what they are looking for, where to start, or how to proceed. Because of this, analysts need the flexibility to analyze the data in a multitude of ways and easily pivot from one query to the next.
The time is now for government organizations to act! Government organizations need to leverage IBM’s comprehensive and holistic Big Data Security Analytics platform to implement these enterprise security objectives:
- Improve prevention posture
- Continuous monitoring
- Granular policy enforcement
- Streamline security operations
- Integration and automation
- Develop advanced situational awareness and data-driven decision making capabilities
- Security analytics, contextual awareness, enhanced intelligence
What Is IBM’s AS360° Platform?
Following Jon Oltsik, Mr. Ian Doyle, IBM’s Federal Security Software Team SME, presented IBM’s view of security threats, defined IBM’s AS360° platform, and illustrated how IBM’s AS360° platform can be used to defend against external and internal threats using a fictional federal security intrusion scenario.
IBM categorizes the security threats into 5 categories:
- Insider Threat – Situational, Subversive, Unsanctioned
- Advanced Persistent Threats (APTs) – Targeted, Persistent, Clandestine
- Cyber Attacks – Focused, Well-funded, Scalable
- Fraud – Concealed, Motivated, Opportunistic
- Hacktivisim – Topical, Disruptive, Public
IBM’s AS360° is a comprehensive framework approach that leverages IBM’s deep portfolio of security analytics to improve Situational Awareness at the federal mission level by bringing together real-time security analysis with powerful Big Data analytics. Now mission owners can harness the power of all of their big data assets to provide a complete 360° picture of the events, activities, people, conditions, objects, interactions, and other situation-specific factors affecting the ultimate mission outcome. IBM’s unique approach to AS360° allows users to leverage a flexible framework designed to provide security professionals with a holistic and comprehensive set of security and data analytics capabilities to combat the asymmetric nature of the real-time, historical, and future cybersecurity threats.
Access Mr. Doyle’s presentation on the ASC website ( http://www.ibm.com/ascdc ) to learn how security professionals can apply IBM’s AS360° framework to defend against external and internal threats.
Big Data Security Analytics
Mr. Vijay Dheap, an IBM Master Inventor and the Architect leader for Big Data Security Intelligence, presented the trend of how government organizations opening their network perimeter to cloud, mobile, and social networks – are exposing themselves to new types of attackers who employ more sophisticated targeted attack techniques such as social engineering, and spear-phishing. The attack methodologies are also adapting to current defensive approaches – attempting to either hide malicious activities among large amounts of innocuous activity or disguise the intent by appearing to be innocuous activity. Current tumultuous economic and social conditions are further motivating new types of malicious behaviors. Government organizations can’t defend themselves against these types of attacks using traditional cybersecurity IT solutions.
Mr. Dheap presents an urgent need for government organizations to adapt a security intelligence architecture with big data and advanced analytics to defend against the new security challenges. He recommended that:
- An organization needs to keep its traditional security data for longer periods of time to perform analysis on the data. Historical analysis has the potential of unearthing longer running attack methods and identifies relapses in security over time.
- Data sources not traditionally employed for security (email, social media content, corporate documents, and web content) can help an organization better qualify what assets and entities need to be protected and/or observed.
- A variety of analytics can be performed to reveal security insights from these larger data sets, but they will require more processing time. This analysis should be done asynchronously to the real-time analysis that traditional security intelligence utilizes… Once the analysis is complete, the insights should be fed back to the real-time component to make the overall solution more effective over time.
- A renewed emphasis needs to be placed on investigative analysis that can initially be categorized as ad hoc before it is codified. Given the specificity of an organization and its business ecosystem, this will be crucial for the security intelligence solution to gain contextual awareness necessary for thwarting targeted attacks.
Mr. Dheap discussed six essential use cases where organizations can apply Security Intelligence with Big Data (AS360°) platform to defend themselves against internal and external threats.
- Establishing baselines for anomaly detection,
- Advanced persistent threats,
- Qualifying insider threats,
- Predicting hacktivism,
- Countering cyber attacks,
- Mitigating fraud.
Defending Against Advance Persistent Threats (APT) Using Big Data
Mr. Bruce Cerretani, IBM Federal Big Data Architect, discussed how Big Data technology such as Stream Technology and Hadoop ,as well as traditional database warehouses could be used against APTs.
Streams technology should be used when:
- It would be too expensive to store before analyzing. The data must be filtered or pre-processed.
- Data fusion across multiple, disparate streams (sensors) brings advantage.
- True real-time data analysis can provide better business outcomes.
- The ability to run multiple analytic models or applications against the same data would help. .
Hadoop technology should be used when:
- Data volumes cannot be cost effectively managed using existing technologies.
- Analyzing larger volumes of data can provide better results using HPC.
- Mining insights from non-relational data.
- Exploring data to understand its potential value to the business.
- When diverse data must be cost effectively stored and analyzed on the same platform.
The ESG research reveals that 44% of respondent enterprise organizations believe that their current levels of security data collection, processing, and analysis qualifies as “big data” today, while another 44% believe that their security data collection, processing, and analysis will qualify as “big data” within the next two years. Government organizations will need to implement a Big Data Security Analytics (IBM AS360°) platform that will provide both real-time and asymmetric big data security analytics capabilities for incident detection as well as historical analysis of large volumes of structured and unstructured data.
Upcoming ASC – AS360° Events
To learn more about IBM’s AS360° platform – please register to attend IBM’s upcoming AS360° series events:
- Detecting and Preventing Fraud with Analytic Modeling
- When: Thur. Oct. 24, 2013 at 8:30 am – 12:00 pm
- Location: ASC-DC, 600 14th St. NW, 2nd Floor, Washington, DC
- Continuous Monitoring and Mitigation to Improve Agency Cybersecurity
- When: Thur. Nov.14, 2013 at 8:30 am – 12:00 pm
- Location: ASC-DC, 600 14th St. NW, 2nd Floor, Washington, DC
To view the “Leveraging Security Analytics to Improve Your Situational Awareness” event presentations and listen to audio, please visit the ASC site -> https://www-950.ibm.com/events/wwe/grp/grp004.nsf/v17_agenda?openform&seminar=423KT7ES&locale=en_US
Poll of the Week
Could your inbox use a little more awesome?
Sign up to get a daily dose of awesome gov-focused resources, trainings, blogs and articles to help you do you job better.