At the RSA Conference 2012 in London, one of the key themes to emerge was that the traditional ways of doing security, while still mostly valid today, are being tested more than ever before. The resources, skills and scale available to hackers, nation states and criminals are resulting in vastly more sophisticated and targeted attacks.
Many breach attempts are now using multiple vectors together - such as a Denial of Service attack combined with the activation of an Advanced Persistent Threat (APT). The aim is to create an environment of panic and uncertainty through a visible primary attack in order to hide the true nature and intent of the secondary attack.
The net effect is to hide the subtle attack in plain sight while the security operations team are tied up dealing with the diversion. The serial nature in which the teams respond to events highlighted by many Security Event & Incident Monitoring (SEIM) solutions means that the most visible threat is often prioritised for remediation, leaving the secondary attack to operate undetected for longer.
While the true nature of the attack may eventually be detected, it is often too late to stop the valuables leaving the organisation. The message from RSA was that it is time to start moving beyond looking at various systems and attacks in isolation. Instead, as an industry, we should start to seek out a more intelligent and analytical approach to monitoring activities on the network and between various systems and clients.
RSA argues that we should be taking advantage of some of the technologies and skills that have been developed in other areas of IT, particularly in managing fast moving data sets and extracting patterns of activity from this data through advanced analytics. This is commonly called Big Data, a term that is felt by many to be one of those over-hyped buzzwords.
With RSA being part of EMC - which has Big Data as part of its core marketing message - it is natural to be somewhat sceptical of RSA's use of the term with regard to security analytics. But the sheer volume, breadth and variety of information needed to be collected and stored, together with the need for fast - sometimes real time - insight based on multiple sources of information puts security analytics right in the frame of Big Data.
The viewpoint of RSA is that the move to security analytics is too important to wait for Big Data as a whole to become more widely adopted. Therefore - at least for the near to mid term - the most practical way to achieve this will be an integrated, appliance-like solution that can be bought and switched on with a minimum of integration services and other activities. In the longer term, the data acquisition and analytics may migrate to more general purpose Big Data systems.
Looking at this practically, it is likely that this type of security analytics platform will require a substantial investment in both equipment and skills. Usually this is something only the largest or most heavily regulated and sensitive industries are prepared to stump up for and have the teams to make it work properly. But what about the rest of the market?
For many other companies, security analytics may seem like overkill. After all, this is not a core competency of their business. If you'll excuse an analogy: private citizens or small businesses don't usually provide their own physical security - this is left to publicly funded police forces, army or intelligence operatives. Gated communities or industrial parks enable them to tap in to a shared private security resource.
When it comes to Security Analytics, most of these customers will not be willing or able to run a full, stand-alone capability on site. This is where the ecosystem of security vendors and partners that can offer a variety of managed, hosted or cloud based services will become vital if we are to see a change to more intelligent security.
The challenge is that these solutions are in their infancy and lack many features such as multi-tenancy that are required if they are to be offered as a share service. A substantial amount of development, integration and maturation are going to be required to get these services ready and cost effective to offer, while demand will naturally be low due to a lack of awareness in the market.
IT vendors are notorious for investing where the money is in the short term, rather than taking the longer-term view. If RSA, and others like them, are serious about shifting the security market from product centric protection to intelligent detection and remediation, they need to start investing now in making shared service Security Analytics a reality.
Andrew Buss is Service Director at Freeform Dynamics.