The use of data to tackle incoming threats is nothing new, and basic intrusion detection systems that monitor suspicious activity within a network have been around for at least three decades. However, during this time data volumes have increased exponentially, and protecting it is an increasingly daunting task. Gartner estimates that the amount of data analyzed by security organizations will double every year for the foreseeable future.
Chloe Green for Information Age writes that the trick is to keep hold of this vital security information longer. By retaining this invaluable information for a longer period of time and applying analytics to the historical information, trends and patterns can be set that will make any aberrant behavior easier to spot and quicker to act upon.
It is this evolution of big data tools that is allowing security analytics to effectively add a level of context and awareness to security incidents that was previously impossible. By adding this extra context to new threats, security professionals can detect issues that traditional tools may have missed completely.
Moreover, the integration of big data and security analytics can help to root out false positives so that IT teams only focus their attention on the most serious threats.
Unfortunately, traditional security information and event management (SIEM) tools are just not capable of reading the unstructured data that is becoming more and more relevant to enterprise security. Furthermore, as network boundaries dissolve and companies open up their information to partners, suppliers, and other parties, the extent of a network’s perimeter becomes even more vague and transient.
The value in all analytics is turning raw data into information. However, sometimes taming this source of information can feel like a Sisyphean task. Often when looking at security data, the standards to present this data and the common identifiers across security solutions are all over the map.
To achieve a true risk-based security intelligence, address advanced persistent threats, and improve security monitoring, organizations need to store and analyze the right information. This needs to incorporate SIEM, but it is no use without the technologies that can provide intelligent detection. Therefore, investigating long term trends should be a priority.
For now, it is still impractical and ill-advised for companies to ditch SIEM entirely. It still offers invaluable capabilities for capturing one class of data and for monitoring network traffic combined with richer sources of data from across an enterprise. This is an area of big change, and the value for organizations lies in not just collecting and storing large data sets efficiently but in making sense of the data. Ultimately, security vendors are forced to innovate or die, and SIEM systems of the future must be big data systems or else they will be made irrelevant.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”