What CIOs Need to Know to Capitalize on Security Analytics

Amit Yoran, President of RSA, discusses the power of analysis and detection to protect against today’s security threats.

As industries become increasingly digital, the security threats they encounter become more frequent, more complex, and more potentially damaging. New threats continually reshape the security landscape. Security analytics enable enterprises to navigate that changing landscape, detect and respond to threats, and protect their digital assets and business reputations.

To explore the business necessities and technological capabilities, we discussed security analytics with Amit Yoran, President of RSA, the security division of EMC. An information systems security industry pioneer and entrepreneur, Amit joined RSA with its 2011 acquisition of NetWitness.

What is the purpose of security analytics?

Yoran: Security analytics dramatically improves the ability of an enterprise to increase visibility and then to rapidly detect, investigate, and remediate security threats of all kinds. It is software that makes the process of protecting data and information systems more informed, more intelligent, and more comprehensive.

Maintaining information systems security has always been an analytical endeavor. What’s new about the role of analytics in security today?

AY: The security challenge has changed fundamentally in recent years. As industries continue to digitize, new security questions and needs arise. Think about the opportunities and potential vulnerabilities of wearable healthcare devices and network-connected cars. Enterprises are struggling to keep pace with the volume and variety of new threats. Failing to do so — as we’ve seen at Target, Home Depot, Sony, and others — can incur enormous financial and reputational cost.

Security used to focus on monitoring activity at the perimeter firewall, authenticating users, and deploying anti-virus software against known threats. A limited set of predetermined data was available to Security Incident and Event Management (SIEM) systems. Now with mobileapps, cloud services, and a proliferation of customer touch points, there is no firm perimeter to protect. With social media apps in the mix, there are many more identities to verify. And new threats multiply as the sophistication of cyber-threats expands, and as the insider threat of employee malfeasance is of growing concern in many organizations.

Today, enterprises have to recognize that they’re vulnerable and assume that their systems have been breached. They need to notice anomalous activity and behavior anywhere in their systems in order to assess threats and remediate rapidly. Enterprises have a lot more security-related data to look at, but they don’t know exactly what they’re looking for. Security has become a big data and advanced analytics challenge.

What specific capabilities are needed in a comprehensive security program?

AY: First you need visibility, as complete as possible, into everything happening in your networks and applications: packets, full sessions, event logs, endpoints, and traffic inside your networks, not just at the entrance and exit points. Then fold in data about digital assets and their sensitivity, users and their authentication, and business context around anticipated threats. Get all that data, including a baseline of past activity for comparison, in one place.

Then you need the analytics to notice patterns and detect anomalous activity, including new developments that traditional SIEM software is likely to miss. Because there is so much data and such a variety of data to look at, you need to automate as much as possible the structuring, enrichment, scanning, and initial analysis. That requires big data analytics methods.

Finally, security operations staff must be able to take quick action on the most important incidents. Drill down to explore incidents in detail. Assess the level of threat and prioritize accordingly. Use the very best event management tools and techniques to isolate and counteract the threat. And close the loop by capturing what you learned and what you did so that similar incidents can be dealt with faster next time.

Behind these capabilities you need high-volume and scalable storage and processing infrastructure.

How do RSA and the Federation companies deliver these capabilities?

AY: We have two major components working together. One is RSA Security Analytics, an integrated platform for real-time capturing, monitoring, and analyzing of all the essential security data, including full network packets inside corporate networks. It also supports the complete workflow around detection, investigation, and remediation. Best practices are built into the workflow, and advanced analytics capabilities are engineered into the detection process. Built-in archiving makes possible advanced levels of compliance capabilities across security. This component is a state-of-the-art security platform.

The second component is a scalable Business Data Lake for security analytics built on technology from EMC and its Federation partners Pivotal, VMware, and VCE. It is a data science platform for all that security data, including as much historical data as you like, plus any other business context information you want to incorporate. In the Business Data Lake you can do more free-form analytics and spot “fainter signals” of trouble. It helps you recognize new problems where formal detection and remediation methods don’t exist yet, as well as new insider threats and vulnerabilities specific to your infrastructure configuration.

The Business Data Lake amplifies the value of your security data, most of which is captured by RSA technology, and amplifies your powers of analysis and detection. Individually, both components are powerful. Together, they provide an enterprise with a completely engineered solution against today’s wide range of security threats.

Using the Data Lake for security makes sense. Can it be put to other uses?

AY: Absolutely, anytime you want to do advanced analytics against a large and varied set of data. The Business Data Lake uses the Hadoop HDFS file system to handle structured and unstructured data together, but it’s more than a flexible and scalable repository. The analytics run right there so you don’t have to export data to a separate analytics engine. The Business Data Lake can also be expanded with Pivotal capabilities for SQL-like interaction and in-memory technology for real-time capabilities.

We often see security analytics as the business case driving adoption of the Business Data Lake platform, but once organizations are familiar with it, there are many other use cases. Enterprises will have rich application layers atop their Business Data Lake platforms.

Please say more about the people and process sides of security analytics.

AY: As always, the best technological tools are only part of the solution. Security operations staff need to develop new skills, apply new techniques, and execute new workflows. More than ever before, the skills are forensic, and people’s scope and versatility must expand along with the volume and variety of data they work with. Individuals and organizations need to rethink how they do security, retrain their “muscle memory” for recognizing and dealing with threats.

This demand for new skills plays out against the backdrop of an overall shortage of security analytics talent — there just aren’t enough highly trained and experienced people to go around. That’s why we strive to automate the data management and analytics as much as possible, including with proven security data science applications. We also enable and automate the security analyst workflow with template-driven, point-and-click interfaces, and we offer a variety of educational services. We want to enable the enterprise to move people quickly up the learning curve and to maximize the productivity of the staff they have.

Speaking of learning, that seems to be at the heart of the security process. What’s your perspective?

AY: The “bad guys” trying to breach systems, steal data, and compromise infrastructure are extremely inventive. So it’s essential to stay on top of what they’re doing. The RSA solution is regularly updated with the latest intelligence and remedial methods, drawn from both our own research team and security industry sources.

One customer, a financial services leader with more than 60,000 employees, is protecting $10 billion in annual revenue. It is under continual attack. An enterprise like this can add its own custom parameters and infrastructure details as it learns about local threats. At the same time, the Business Data Lake is all about continuous exploration and learning, including being alert to activity and behavior never seen before. Then all the experience of dealing with incidents feeds back into the Business Data Lake, making it a more powerful learning platform over time.

In security analytics, learning is both a continuous process and a communal one. There’s no sense in trying to go it alone. Organizations must tap into all the intelligence and experience in the marketplace ecosystem, not only through technology providers and subscription services, but also by being active in industry or regional security consortia. The only successful security program is the adaptive security program.

Finally, what are the key things that CIOs should know and do regarding security analytics?

AY: First, you may not be the person most directly responsible for information systems security, but you’re an essential part of the solution as the IT organization assembles the technology platform and contributes data management expertise. So work closely with the CISO and other enterprise security officers to deploy a comprehensive and adaptive platform for security analytics, and coordinate it with other business security applications.

Second, you shouldn’t have to piece together your own monitoring and analytics tools and other one-dimensional point solutions. Compared to an up-to-date integrated platform, the homegrown approach takes longer, costs more, and invariably leaves gaps in coverage. Even recently deployed standalone products may already be obsolete.

Third, you don’t have to deploy security analytics all at once. The RSA solution is modular and flexible, and the Business Data Lake is by definition extensible. That said, however, your enterprise may need an aggressive implementation timetable — another reason to build from an integrated platform. And the work of improving the security platform never ends.

Finally, in today’s networked and data-driven marketplace and society, every business is an information business, and information risk is business risk. Be an advocate among the executive team and with the board of directors for an eyes-wide-open approach to information systems security and risk management — enabled as never before by advanced analytics.