The Rise of Data-Driven Security, Part 1: Data-Driven Tactics
Last week, Sourcefire announced the acquisition of Immunet, a provider of hosted anti-malware technology that delivers more responsive protection to emerging threats without the need for periodic signature updates. Much of the commentary on this deal has focused on the accelerating momentum of hosted security technology plays, and the advantages of security functionality delivered “from the cloud.” Clearly, this is a growing trend, as demonstrated in our 2010 Security as a Service research – but there is a key aspect of this trend that should be recognized, because I feel it will become a pervasive factor in the evolution of security management in coming months and years.
That factor is the continued advancement of data-centric approaches to security management – something I call “data-driven security” – which is itself an aspect of the data explosion affecting enterprises of all kinds.
“Data-driven security” as used in this sense does not mean techniques for securing sensitive information per se, such as data loss prevention or data encryption, for example. (I tend to think of this overall field more as “security for information.”) Rather, what I mean by “data-driven” is more along the lines of this initiative on the part of the Internet2 community, which focuses on the changing nature of both tactical defense and strategic security management, both of which are increasingly informed and defined by data sources and data-intensive techniques.
I see data-driven security playing out in three primary domains:
- Data-driven tactics which differ from legacy security technologies in part by their focus on a more continuous, dynamic dependence on data sources.
- Data-driven platforms for security management and strategy guidance that may be expected to expand techniques for yielding more effective insight from large amounts of many different kinds of data, and
- Data sources to serve these interests, which can be expected to grow in their variety, as well as in the variety of ways they are made available as offerings in their own right.
In this blog series, I’ll be taking a look at all three of these aspects, beginning here first with the evolution of data-driven security tactics.
Of course, data (in the form of signature or rulebase updates) has long been an aspect of security tactics such as antivirus and intrusion detection – but legacy approaches have long focused on maintaining a local cache of this data, updated intermittently by a local agent or appliance that is (typically) siloed. What’s different about the likes of more data-driven approaches is a more direct and continuous dependence on dynamic data sources. With these approaches, data is at the heart of functionality, rather than at its periphery. Immunet collects data on new and emerging threats from its community, enabling the service to act on new or as-yet unrecognized threats and deliver protection quickly to its users. Immunet terms this “collective intelligence,” and it is a feature (along with reputation analysis) of similar approaches such as McAfee’s Artemis, Symantec’s Ubiquity, and Trend Micro’s Smart Protection Network.
Note also the similarity to those such as Damballa, FireEye, Endgame Systems’ ipTrust, the tactical aspects of Team Cymru’s offerings, and Umbra Data. These technologies gather intelligence on networked threats such as (in most of these examples) botnets, helping customers to identify these issues on their networks and, where able, provide countermeasures tailored to specific variants. Other examples of data-driven defense include Silver Tail‘s ability to recognize deviations from normal application user behavior indicative of a threat, and Mykonos‘ ability to (as they put it) tag and profile the attacker.
The cardinal importance of data is highlighted by approaches that collect and centralize intelligence from multiple sources – which may include service provider networks as well as enterprises and endpoints. This intelligence may often be combined with some approach to centralized analysis, enabling providers to deliver defense faster and with greater accuracy thanks to the hosted nature of the service. As the above examples suggest, botnets have been a particular target of such tactics, due in part to what is often a rapidly changing and often distributed threat that uses highly dynamic techniques to obscure attack sources.
So yes, the focus on a centralized service rather than largely autonomous agents or appliances is a primary aspect of these approaches – but what the centralized approach enables is the capability to collect and act on large data sets with greater speed, accuracy and efficiency.
Recall from one of my recent posts how the data deluge is having an impact on the changing nature of security management. Not only has there been an explosion in the sheer volume of data requiring protection, but there has also been a dramatic growth in threats as well as disclosed vulnerabilities in recent years. This has also led to a secondary (if you will) explosion in the volume of data that is both generated and handled by security tools.
This means that security technologies – and services – must become more adept at handling big data.
Hosted security technologies are one way that the tactics of defense can tackle the mountain of data that confronts security management today. They offer centralized resources that lend themselves to large data management and analysis, able to find needles in enormous haystacks more rapidly and efficiently that many legacy approaches. True, a centralized approach also makes for a centralized target, but cloud computing strategies may be useful here for distributing risk across a broad platform (and, just coincidentally, taking something of a page from distributed threats that minimize their risk of disruption in part through decentralization).
There is another aspect of data-driven security tactics that should have appeal to enterprises: Security point products whose role is today defined by local functionality and locally stored data may become more “general purpose” in their design if their functionality is driven more by continuous, dynamic data feeds. This could someday mean fewer security point products and agents that are more flexible in what they do. This would undoubtedly be good news to enterprises that have grown weary of adding product after product to their security arsenal, and not always with the most satisfactory results.
This also means, however, that these approaches must also consider the relevance of “disconnected” operations for some endpoints – less of a factor with ubiquitously connected mobile devices, but for the moment, airplanes, for example, are still IT islands in the sky in most cases. More significant may be the risks of disrupting the data sources on which these tactics depend.
Regardless, the potential of data-driven tactics highlights one important reason why Sourcefire saw Immunet as an advantage, considering how intrusion detection and prevention systems are already driven by signature data. This can also be expected to factor into how IBM applies its BigFix acquisition in the future, considering the flexibility of BigFix’s “fixlet” concept. Data-driven tactics also promise new opportunities for technologies such as security forensics and whitelisting, where forensic triage can be accelerated and made far more efficient when comparing captured data against an inventory of recognized or “known good” software or content – an inventory that may be made available as a data service in its own right.
These types of tactics highlight how security tools are evolving to become more dynamic and continuous consumers of data sources. Indeed, data sources are themselves having an impact on security management, by broadening the range of insight available – if organizations can make use of it. This, in turn, suggests the need for further development of tools to derive more effective insight from data, as well as to get a handle on the data explosion that is affecting security as well as the enterprise as a whole.
More on these aspects in upcoming posts in this series.