McAfee: Large data processing capability is the core of Siem

Large data age, security needs initiative

Now, every second, a new sample of malware has emerged, and up to 83% of companies have been hit by advanced, ongoing threats-big data is not just a challenge for customers, but also for security suppliers. If the risk is equal to the threat multiplied by the assets multiplied by the loopholes, then the big data age, the risk is becoming more taboo.

2013 is a year of large-scale adoption of large data technology by companies, according to a report published by Gartner, 42% of IT executives say their companies have invested in large data technology or are investing in a year. It has become an important part of enterprise IT revenue to obtain valuable information from the structure and unstructured data of the massive low value density. At the same time, the 2013 has been closed to the "cyber security loophole Year" hat. Gary Davis, vice president of global consumer markets, wrote in a blog post that as of August this year, a number of cyber attacks have lost as much as $ millions of trillion to many businesses, particularly financial institutions. From "hacking" to illegal credit card fraud, cyber-fraud is no use at all.

For big data, the focus is not on data, but on how to deal with it-analyzing the data to get the information that is needed, and Gartner's comments are widely shared. In fact, SIEM (Security information and event management) is itself a fundamental problem in dealing with the lack of data processing capacity. "Siem is a very important area in smart security systems," said Michael Sentonas, vice president of McAfee and Asia Pacific chief technology officer, earlier in an interview with reporters. McAfee's Siem Products can integrate its global threat IntelliSense system with other channel information, such as applications, terminals, networks and databases, and analyze the security data in real time. In addition, IPS, firewalls and other technologies are also integrated into the Siem solution. "The Siem-platform integration solution has a higher visibility to different attacks and makes security protection more proactive."

The power of real-time analysis permeates the entire network

Some security-conscious industries, such as large financial services institutions and government agencies, have already adopted SIEM in the early days, but it was not until 2005 that the Sarbanes-Oxley (Sarbanes Oxley) audit was widely used and established effective markets. The compliance audit not only expands the application scale of SIEM, but also generates a large number of other security devices and improves the logging level. "For today's security-threatening environments, it's not clear that traditional Siem products are more concerned with logging and collecting and analyzing them," says Mason Hooper, McAfee Asia Pacific Siem Solution Practice Manager. It is to control the exception of the whole network in real time, but also need to pay attention to the security of the application layer.

From the numerous reports, we can see that some organizations are still having catastrophic data leaks after they have passed a security audit that is said to be based on stringent compliance standards, and IT security needs to evolve from a copy-by-chapter compliance to a comprehensive security plan that covers perimeter, internal, data, and system security. In response to these increasing security controls, innovative and resilient attackers have also increased the complexity of attack methods, so McAfee believes that Siem needs to detect slow attacks, quickly detect event flow anomalies, and obtain relevant data, application, and database context information. and large data contains data sets of too large scale, with strong data analysis capabilities of the Siem solution to be competent.

Relational data scalability. As the amount of event data continues to multiply and the complexity of the attack becomes more and more high, it is critical to enrich the event data by the relational data of source, asset, user and data intelligence situational awareness. In addition, you need to provide a real-time association between this type of information and the event stream in the database schema. Although many SIEM have these features, few SIEM can support multiple broad lists because of table restrictions on the database side. At the same time, to avoid the degradation of analysis performance, when a user requests to get information, many Siem simply look for this information without real-time association and rendering. McAfee's Siem Solution can use such information to intelligently create accurate, real-time risk analysis diagrams.

Dynamic analysis. In a large data environment, simple event flow analysis (showing only the connection frequency and whether it has changed) is not enough to get a sense of the real situation. Today's SIEM need dynamic scenarios to identify user behavior changes and dynamically adjust risk based on source reputation, asset risk, and related data, applications, and database activities. Dynamic analysis is an important part of slow attack detection, and large data security Siem Architecture needs to adapt to this situation.

Historical data analysis. Another important aspect of attack detection and effective event response is the ability to analyze historical event data. Given today's attack methods, the McAfee Siem Solution can access years of data to quickly locate patterns and exceptions, while performing real-time analysis without impacting performance. While also being able to easily integrate with storage systems and efficiently store event data to avoid the use of large amounts of storage devices and generate huge costs, innovative architectures can support frequent simultaneous use of real-time and historical functionality.

Events have increased. When the event data growth exceeds the expected peak limit, it is critical that the analyst determine whether this increase in event volume is caused by a proactive attack. McAfee Siem, built for large data security, not only handles these surge scenarios, but can also incorporate these scenarios into the licensing scenario. Conversely, SIEM that do not understand this issue will discard events or prevent analysts from accessing the console when the event volume (EPS) limit is exceeded per second, and prevent security teams from accessing their primary situational awareness tools at the most critical time.

Large data is not only a serious challenge for the organization, but also a higher demand for security teams. In the past, the urgent need to tighten security has driven people to gather and analyze more and more events and security data. With the increasing of the amount of security data, traditional Siem products only focus on the log, collect and analyze it. For today's security threat environment, the traditional Siem function is clearly not enough. Only with the combination of large data analysis, from data collection analysis to the rapid completion of security management strategy Recommendations, this is what Siem really need to do.