Much of the discussion at the RSA conference this week was about how cloud security services and big data will solve all of our security woes, if only we would trust the providers. It’s a tough pill to swallow coming from RSA, which had its servers breached a year ago, exposing thousands of customers to risk. But putting that aside, as RSA executive chairman Art Coviello deftly did in his keynote, there is merit to the idea of using cloud security services and big data analytics to better protect us from the bad guys.
Companies need to crunch through enormous volumes of threat data, spot the anomalies in real time and formulate counterthreats. Computing power, storage and data analytics tools are coming together in the cloud that let companies do this, but they are complex and most security professionals are not using them today. There are, of course, services like Amazon’s Elastic MapReduce, a hosted implementation of the Hadoop framework that lets developers process vast amounts of data on the cheap, but we need more accessible tools, and soon.
Currently Elastic MapReduce is used by many industries, including the pharmaceutical, oil and gas, financial services, and health care sectors to crunch data. Amazon Web Services claims just about every vertical is using Elastic MapReduce, including credit card companies for fraud detection, but it isn’t able to share security case studies publicly.
While the service is well used, the average security pros probably haven’t heard of Hadoop, never mind set up a Hadoop cluster, and neither should they have to. RSA promised better tools are on the way to help with this, although the company didn’t say what. Making services like Elastic MapReduce consumable for the general IT user is what’s lacking in the market today.
Coviello stressed that security teams should adopt a big data model, examining data from external sources as well as threat data from internal intrusion detection and firewall systems. RSA authored a research paper that includes recommendations from executives at Global 1000 companies titled “Achieving Intelligence-Driven Information Security,” which is all about harnessing the power of big data and cloud services to improve security practices.
The paper boils down the key features of an intelligence-driven information security strategy to the following points:
- Consistently collect the right data from the right sources. Finding the right data and sources means figuring out the trustworthiness of a source, the accuracy of its data, the cost to use that source, and whether the data is actionable and useful or redundant with other sources.
- Efficiently amalgamate, analyze and manage the data. Do you have the data-management tools in place to efficiently process the data you are collecting?
- Develop knowledge and produce actionable intelligence. Finding a way to share the security data you are discovering is crucial to the adoption of any IT strategy. It can’t be the purview of one or two guys; everybody has to be on board and sharing the data to make it work. And providing concrete takeaways or measurable next steps is also crucial to moving the plan forward.
- Make risk decisions and take action by modifying controls and planning new defenses. This is about creating a feedback loop, meaning that you should be tweaking your processes and controls as you get more information on how the system is working and feeding that back into the strategy to plan new defenses.
- Share relevant pieces of data such as attack indicators with other organizations. RSA said the security industry is getting better at sharing attack data among organizations, but this could go much further.
Any one of these points is easier said than done and will take an enormous amount of work to do well. But the companies that can figure this out are well on their way to staying ahead of security attacks over the next decade.