Security Experts:

Shaping Up "Big Security Data"

You've heard it a thousand times before: information is power. The more data you have, the more insight and knowledge you possess. But what happens when your data stores grow so large that securing and managing them effectively is no longer in the cards? What happens when every new security control that's put in place to protect data is just another administrative burden—increasing the security event data that must be monitored, logged, shared between security components, analyzed, and reported on.

How much data consumption is too much?

“Big security data” consists of data sets that grow so massive that they become awkward to work with using the database management tools that you have on hand. A few extra gigabytes here and terabytes there, and before you know it, you've got a big security data problem.

Big DataData obesity didn't happen overnight, and it's not going away anytime soon. According to IDC, big data will continue to be a big issue in 2012 and beyond. The analyst firm predicts digital content will grow to 2.7 zettabytes (ZB) in 2012, up 48% from 2011.

Let's look at how traditional IT security teams have addressed the big security data challenges.

Security information and event management (SIEM) systems were originally invented to address the growing volumes of information security data. In the early 2000s, SIEMs began to handle firewall, vulnerability assessment, and IDS data, with two primary purposes: reducing false positives from intrusion detection systems and improving the ability to investigate security event logs. SIEM pioneers built their solutions on existing database management tools, augmenting these tools with event data and specialized analytics.

Early SIEM adopters tended to be sensitive, highly security-conscious organizations (financial services companies, health care providers, defense contractors, and governments). Then came the onslaught of well-publicized data breaches that spanned markets and continents—quickly followed by public outrage and a steady stream of regulatory mandates. Event management became a core component of the "control framework" in Sarbanes Oxley section 404. SOX was quickly followed by PCI-DSS, yet another set of regulatory requirements that necessitated log review to pass audit. Almost overnight, internal and external auditors insisted upon SIEM.

As corporate security officers scrambled to address these issues, corporate IT fell in love with yet another data-laden trend: virtualization--the double mocha frappuccino of data consumption. While virtualization reduced the physical requirements of running a datacenter, it quickly bred even more data and applications that had to be secured and reported on.

The point product intervention

Many companies realized that check-box compliance helped them pass audits, but didn't necessarily improve security. They continued adding new security products—each bringing its own instrumentation and logging requirements. The volume of security data and real-time data streams grew exponentially until SIEM solutions were unable to digest all of this data or provide timely analytic capabilities. Traditional relational database-powered SIEMs bogged down under the stress of simultaneous high-speed insertion rates, combined with the added burdens of continuous real-time correlation and historical reporting. One common workaround for this data explosion involved turning off SIEM data feeds in an effort to preserve performance. Unfortunately, each disabled feature creates another vulnerability and exposes the enterprise to greater risks.

Getting your arms around big security data

So how do you deal with big security data even as your business tightens its belt?

Time for a big security data fitness plan.

Big security data protection requires capabilities that SIEMs didn't offer just a year to two ago. Today's sophisticated security threats originate from outsiders, those inside your network, and even privileged users. Today you need more relational information about the source, asset, user, and data to provide greater security context and situational awareness. You also need real-time correlation of this information with event flows—including a highly responsive, scalable architecture that can keep pace with big security data's growth.

The big security data explosion has changed SIEM requirements. Whether you're looking to add SIEM to your security fitness regimen, or evaluating the latest SIEM solutions, you can’t go wrong by heeding the following common-sense recommendations.

Add Muscle, Lose Fat

There's a reason why most diets fail. You can't maintain weight loss without building muscle. Put simply, muscle burns fat—the more muscle you have, the easier it becomes to maintain your desired weight. Likewise, you can't choose an underpowered SIEM solution and put its data feeds on a diet to maintain performance. Therefore, choose a SIEM that:

• Includes a high-performance architecture to handle reams of security data and easily scales to handle future growth. As mentioned earlier, companies aren't likely to curb their appetites for data, so you must have a solution that can efficiently convert security data into meaningful, actionable information.

• Collects massive amounts of data—hundreds of thousands of events per second.

• Includes a powerful database and appliances with the processing power to quickly correlate billions of events and flows.

Boost Your SIEM IQ

There's a direct correlation between physical fitness and mental acuity. In fact, the latest neuroscience suggests that neurons fuel themselves during exercise to help boost brain power, with effects that linger long after a workout. Likewise, the next generation of SIEMs is taking security intelligence up a notch, working faster and harder to go beyond simple event analysis to share security intelligence among security components and quickly deliver actionable information. To achieve this, SIEMs need to be able to:

• Share situational awareness by immediately collecting and analyzing contextual information on events, users, and data.

• Provide dynamic threat visibility that supports around-the-clock threat intelligence on a global scale. Integration among components with a real-time, reputation-based service is the best way to achieve this.

• Take the guesswork out of where to focus your security efforts with the tools to quickly pinpoint attacks and implement countermeasures.

Achieve Balance and Agility

IT experts must rely on multi-layered security models for the same reason that athletes are obsessive cross-trainers: Too much focus on one area isn't helpful if others are neglected in the process. As mentioned earlier, SIEM is a critical component. However, effective big security data requires security tool integration. As you continue building your big security data fitness plan:

• Look for opportunities to consolidate and share security data. A solution should not only gather all logs into a central location, but also make them accessible from a central web user interface and share data among other security and risk management products.

• Look beyond your perimeter. A wide-angle view of threats is essential these days. You must be able to view new threats in the wild, filter out irrelevant noise, and quickly home in on the threats that relate to your IT infrastructure and business.

Finally, seek the expertise of a trusted security advisor or systems integration professional with expertise in SIEM. Just like any fitness plan, SIEM requires effort and dedication. It gets easier over time and results become an excellent motivator.

Eric Schou is a Group Product Marketing Manager at McAfee. He is currently a part of the Security Management Group. Before joining McAfee, Schou spent more than 15 years in the security and storage industry.