Large data 2.0:ciso eager to discover aggressive behavior

Is the large data-centric security system in the past? According to a security professional meeting at the 2013 RSA convention, many of the unused security Big http://www.aliyun.com/zixun/aggregation/12240.html "> Organizations that have data collection systems to discover attacks may already be in a backward position.

In a discussion around the use of large data for better security monitoring, team members discussed the importance of analyzing a large number of network security events. CISOs Ramin Safai of the New York investment bank points out that his company will have 5,000 network events per second, which will capture TB of data every day; his three-person network analysis Team usually notices 50 of them, two of whom verify that they are legal.

At the top of the industry, says Alex Tosheff, an information security officer at ebay's X.commerce department, his organization will find 10,000 events per second and record nearly 1 PB of event data a day, excluding the external "production" environment he supports, namely ebay.com, stubhub.com and so on.

So, in order to find important security incidents, many organizations have deployed systems specifically designed to capture the most important data-data from networks, terminals, databases, applications, and identity and access management systems-but this is the simplest part. Finding the very few events that portend potential attacks is the hardest job.

"It is important that your analysis engine collaborate with all the best combination technologies," said Carter Lee, vice president of Overstock.com technology. He points out that open systems are usually better than large vendor products because big vendors need to lock up users for a long time and not often upgrade new patches for new threats.

Tosheff points out that his organization has been insisting on this model for 5 years, and they are using a combination of non-marketing and self-developed tools that use custom rule sets that are designed to look for data disclosure events. We try to keep up with the times. It's a technical contest and it's a difficult process, but it's something we have to do.

Big Data 2.0: Using data to discover attack behavior

But members of the Panel pointed out that it was not enough to find malicious incidents. Moderator Richard Stiennon, of Birmingham consulting firm It-harvest, said he first recognized this last year when he worked with a large defense provider. He noted a tendency to identify and correlate important attack metrics with large data and classify them by behavior-a regular, multi-directional attack initiated by a known threat initiator.

Tosheff pointed out that his company's electronic crime detection team also has a similar role, it combines its own internal intelligence and external information sources, which found a variety of malicious attackers, including fraud, hackers or data theft. Important conclusions are then recorded in a generic dictionary and quickly shared across industry groups through mechanisms such as the financial Services Information sharing and Analysis Center (FS-ISAC).

"Tracking attacks is very important," said CISOs Praveen, Datashield Consulting. If you don't, then get started. These combination features can help you detect and defend against the next attack. By associating events and discovering common properties, an enterprise can discover the identity of an attacker and its subsequent behavior, shortening the time for future detection and response. Important indicators don't have much meaning in themselves, but if you associate them together, you can find some bad situations. By associating them with an attack, the response can make a breakthrough. ”

Splunk is more popular than the Siem System.

Interestingly, almost all team members say they use sophisticated packet capture and analysis tools Splunk as their primary data analysis tool, rather than expensive business security information and event Management (SIEM) products.

Safai points out that even if his organization saves a variety of logs to a Siem, the data is then saved to Splunk because no other tool can handle such large data volumes and complexities. Although Safai has communicated with Siem vendors, they are not able to provide a matching feature: quickly navigate to a dataset, view a specific time or device, pinpoint an event, and then return, using this event as a starting point to look for trends or similar events.

Safai said: "It is this function and speed that determines our choice." Our Siem can't do this; it's slow, it takes 24 hours, and Splunk just 2 minutes. "It tosheff closely with the way engineers think it works," says Splunk. It is a flexible tool. A SIEM is not yet able to overwrite all potential data sources. "You have to work hard to build tools that adapt to your environment," he said. It is impossible for you to buy such a tool directly with money. ”

Urgent need for more data talent

However, even with the best combination of business tools and custom rule sets, team members still believe that there is a need for well-trained and talented data analysts to analyze these anomalies and the attacks that machines cannot always discover.

And genius data analysts may be crème. One member noted at the meeting that data professionals are now the most sought-after occupations in the IT industry. Safai said that the choice of university-trained students to analyze the data and give up some practical work experience can alleviate the problem to some extent.

"From my experience, you can find talented data analysts in the engineering community," says Money. He points out that his company assigns some IT staff to a variety of positions, gives them the opportunity to participate in data analysis tools, and then rewards them with travel for various industry meetings.

"If you know a 18-year-old, take the X game controller away from them and tell them to learn to enter this promising field," Lee said. "This may best reflect the industry's lack of talent for data analysis.

(Responsible editor: Fumingli)