We have reached a strategic milestone for security organizations—a milestone in our collective fight against sophisticated security threats.
Enter the era of Big Data security analytics…
RSA has released a new type of security solution that combines key parts of network forensics, Security Incident and Event Management (SIEM), threat intelligence, and Big Data technologies and techniques, to deliver a level of visibility that is different and deeper from all others that have preceded it. Most CISOs will likely agree that this new era of security couldn’t have come sooner.
This view is confirmed by newly published research from Jon Olstik, security analyst at ESG (from whom I borrowed the title of this blog). In his paper Jon clearly brings forward his argument — with which I completely agree — that security threats have changed, and thus the tools used and approaches for defense need to change significantly. I recognize this sounds a bit cliché, but if you read Jon’s paper you will see the clear argument and evidence to back up this claim. One very obvious technical trend is that the flood of security data that is required to provide the visibility that is necessary to improve the organization’s defenses, has gone up — way, way up. In fact, the ESG research paper mentioned above indicates that 47 percent of the organizations it surveyed collect, process and analyze more than “6 terabytes of security data on a monthly basis.”
Sounds like a Big Data Security problem needing to be addressed.
RSA’s solution in this new era is RSA Security Analytics. Whether or not the market ultimately considers this product a next generation SIEM or creates a new category for it, Security Analytics brings forward a new approach to the detection and investigation of threats that goes beyond traditional, log-centric SIEM systems. It enables the ingestion and analysis of large and fast changing data sets with the goal of helping the security analyst draw intelligence from it in near real-time.
Does it consume logs? Yes. But it is not limited to only that form of telemetry. Security Analytics combines broad telemetry (most notably full network packet capture, automated threat intelligence, and asset information) with a data management and analytic platform that scales to make real-time security monitoring effective against even the stealthiest attacks.
The catch? As most centralized security data collection and analytics systems in use by enterprises today (SIEM systems generally) not only rely on partially informative data sources (logs/events), but are already computationally overwhelmed by the amount and rate of change of this security data. Collecting data that can’t be analyzed in a timely manner adds little value.
Asking these traditional SIEM systems to provide better security monitoring to match the stealthiest attacks has become a dead end. It is our view that further tuning and tweaking of traditional, log-centric SIEM systems is futile given the security realities of today. While security organizations face more than SIEM technology challenges, such as rapid infrastructure and application changes and the growing security skills shortage, more effective monitoring tools can help to mitigate the impact of all of these problems.
RSA Security Analytics is architected to give security organizations the visibility and situational awareness needed to detect and analyze security threats inside and outside the enterprise. Our short video below does a good job outlining how Security Analytics can be used in potential scenarios where traditional security approaches and tools would be all but blind to the faint signals of an advanced and targeted attack.