Security Experts:

When it Comes to Security, Big Data isn't Big Enough

Big Data means different things to different industries and organizations. Today, Big Data not only describes the large and complex data sets that organizations are dealing with, it is also used to describe capabilities found in technologies that produce, process, analyze and protect data.

Within the security industry, SIEM, DLP, secure email gateway providers and other product vendors have been quick to use Big Data as an adjective when describing their solutions' capabilities. When used in this way, providers are implying directly that their technologies can sift through mountains of data and spot event and activity trends.

From a security standpoint, the sheer number of breaches that plague organizations have made it obvious that on their own — and even when used in tandem with each other — none of the so-called Big Data security solutions have been able to provide organizations with effective risk analysis. This isn't necessarily because they lack the processing power needed to analyze Big Data sets, but rather because there is certain data that is being overlooked. When it comes to security, as strange as it may sound, Big Data isn't yet big enough.

Recognized Big Data security solutions can only examine data that administrators and engineers have programmed them to identify. They cannot, on their own, choose to browse data sets that they "think" might yield information, nor can they detect information about risky user behaviors that hasn't been captured.

To unlock the potential risk-reducing power of Big Data, organizations need to identify missing risk information. In order to identify this missing information, organizations need to turn to new and emerging technologies.

For example, when utilizing Big Data to identify compliance violations or insider threats via employee actions, organizations tend to rely on data the focuses on something an employee interacts with – firewall logs, file system auditing logs, application logs and the like. These are all considered in an effort to be able to paint a picture of what an employee did from the puzzle pieces found in the logs. The missing information in this scenario is the user activity itself. If given the ability to add individual user actions (think along the lines of details about every email sent, file opened, website visited, document printed, etc.) into the Big Data mix and you now have a far more complete picture of what those within the organization are doing when it comes to issues like data security, compliance and employee fraud.

There are, of course, many rising solutions worthy of discussion that can help address the missing risk information problem; too many to consider in a single article. So for today, let’s focus on User Activity Monitoring (UAM) technologies. UAM provides a level of additional information and advanced analysis that the aforementioned Big Data security technologies can't provide when addressing issues around employee activity and how those activities impact risk within the IT environment.

UAM reveals insights into how employee groups and individuals are accessing and sharing data, what types of risky online activities they engaged in, how frequently they visit websites and open emails that expose data to risk, and whether or not they are following security protocols when accessing Web applications and databases. No organization that wants to understand how and where its data is at risk can ignore these data points, and this type of information can only be gathered through UAM solutions.

There are many competing UAM solutions on the market. Each provides varying levels of insight into user activities taking place on the network. Solutions offering complete 360-degree monitoring capabilities work across the leading OSs and mobile platforms, capture and make ready for playback user activities at the computer screen level, can target high-risk users, and provide alerts when risky behaviors begin.

Integrating UAM and other emerging technologies into Big Data enabled security strategies is a step that some organizations have already taken. These early adopters are finding out that when they enhance existing data sets with user activity information, such as cross referencing the Web log data that shows the employee’s device accessing the DropBox IP address and the video replay of employee copying data to the tool, they are able to better identify high-risk trends that are driven by employee activities. And, they are experiencing results that are allowing them to reduce risk across their environments.

Unfortunately, many organizations are having a difficult time cutting through the FUD and marketing hype that many vendors are aggressively disseminating. In addition to articles such as these, there are many resources available that can assist organizations in their Big Data security decision and investment processes:

Most Attacks Are External, But Never Underestimate The Insider Threat; SecurityWeek; May 1, 2013:

Invest in Information and Analytics to Benefit From Big Data; Gartner, March 8, 2013:

- User Activity Monitoring Revealed; Help Net Security, June 20, 2012:

- IBM underpins security intelligence and APM releases with Big Data analytics; Ovum, March 19, 2013:  

- Big Data Security Analytics or Big Data IT Analytics?; ESG, Jan. 30, 2013:

view counter
Nick Cavalancia, MCSE/MCT/MCNE/MCNI, is SpectorSoft’s VP of Marketing where he assists in driving innovation and the evangelism of SpectorSoft solutions. He has over 18 years of enterprise IT experience and is an accomplished consultant, trainer, speaker, columnist, technology book author, and patent holder. He has authored, co-authored and contributed to over a dozen books on Windows, Active Directory, Exchange and other Microsoft technologies.