For security professionals, being on-call is a fact of life. Their job is never done. Attackers are constantly changing their tactics, looking for another way in and the advantage has tipped in their direction.
To cite just a few examples, the public learned last month about a series of high-profile security breaches that were attributed to the Chinese military, and hit more than 100 U.S. companies targeting several hundreds of terabytes of data. More than three million social security numbers were recently stolen from the South Carolina Department of Revenue. Even months afterward, cybersecurity experts were still finding security gaps throughout the agency’s system. Data files remain unprotected as lawmakers await consultants to advise on the 3.8 million Social Security numbers and 3.3 million bank accounts numbers that are still months away from full encryption. Compound that with the over 120 million Dedicated Denial-of-Service (DDoS) attacks in 2012, up from nearly 1.5 million in 2011, and wherever you look there is evidence that the traditional approaches to information security are no longer effective.
Security Incident and Event Management systems (SIEMs) are a case in point. The goal of a SIEM is to help security practitioners collect, correlate, and analyze events using algorithms that recognize suspicious activity. But as the amount of data they monitor has continued to grow, SIEMs have reached the limits of their capabilities.
Scalability has become a major issue, as organizations try to capture thousands of events per second in the relational databases commonly used in SIEM solutions. The changing, increasingly complex data types in organizational environments have made it even harder for SIEMs to correlate relationships between events. Used on their own, the effectiveness of SIEMs has noticeably degraded.
While security practitioners may describe the problem differently, most agree that fast-growing volumes and variety of organizational data rule out SIEMs as an effective security solution. Scalability challenges, data diversity, the need for real-time search, and time-to-value, demand a more effective method to utilize big data. One increasingly popular approach is called Operational Security Big Data (OSBD).
To paraphrase security expert Kevin Mandia, breaches by advanced attackers are inevitable. Organizations are now experiencing the kind of sophisticated cyber-assaults that used to be targeted primarily on governmental defense and intelligence organizations. This is why the ability to handle increasing volumes, variety, and velocity of data is now so important. This is where OSBD really goes to work. It fulfills the need for a real-time big data approach to security and statistical analysis that detects advanced threats, both known and unknown.
Even worse, accurate and timely information about threats is still not widely shared, meaning that knowledge about vulnerabilities remains with a few, not everyone. This is a further challenge for OSBD, and one that SIEMs today are completely unable to address – they were designed for intra-organizational use only.
OSBD is the capability to make all data available for security purposes. That data may be unstructured (e.g. machine data) or structured (e.g. stored in a relational database management system). That data may be from security sensors, from non-security systems, from within the organization, or accessible from systems outside of the enterprise. This is why the ability to handle high volumes and diverse sources of data at high velocity is extremely important. Attackers already can and do change their attacks in sub-second time, responding in real-time to organizational defensive measures. This is why the ability to index, search and correlate such information in real-time is critical – not in batch-mode minutes, hours or days later.
Informed CISOs know the limits of today’s SIEM technology, and recognition of the capabilities of OSBD is now growing quickly.