EMA Blog Community

(Ed. note: After too long a hiatus, I wanted to round out this series that began here and continued here, here and here. This will certainly not be the end of my coverage of data-driven security, however. Keep an eye on this blog as the field continues to unfold.)

In this series, I’ve described three areas where the evolution of data-driven security is becoming evident:

• Data-driven tactics that differ from legacy security technologies in part by their focus on a more continuous, dynamic dependence on data sources.
• Data-driven strategy and management based on insight from many different kinds of data.
• Data sources to serve these interests, which can be expected to grow in their variety, as well as in the variety of ways they are made available as offerings in their own right.

In the last post in the series, I examined the rise of the “Fourth Paradigm” of scientific investigation centered on the analysis of data generated through the earlier paradigms of theory, experiment/observation, and computational simulation. If we are to pursue an approach to security based on this paradigm – with insight into operational security realities as well as evidence-based strategy management driven by data – we will need tools to synthesize understandings from our data sources.

In security operations, we already have these to some extent. One of the first places most would look for this would likely be in Security Information and Event Management (SIEM) – but consider the other forms of synthesis we make use of today, such as the modeling of possible penetration pathways exemplified by those such as Skybox and RedSeal and more recently by Core Security’s Core Insight that rely on vulnerability and threat data as well as knowledge of a specific architecture.

This is not to diminish the significance of event correlation as a form of operational synthesis – but it has its limitations. For one thing, rule-based systems cannot alert on what they do not recognize. In the face of threats that deliberately seek to avoid detection, or those that target previously unrecognized vulnerabilities, security operations teams need more flexible insight into as much information as possible in order to discover new threats or high-risk activity.

This need gave rise to technologies that grew out of forensic analysis and network security monitoring as a practice, which in turn spurred the growth of security analysis platforms such as those of AccessData, NetWitness, Niksun, Solera Networks and others. These platforms give analysts a set of tools to synthesize insight from a number of sources, from malware samples and evidence of activity collected from network content to third party intelligence. The scope and flexibility of these toolsets give practitioners a way to better understand more complex, ongoing or as-yet unrecognized security issues.

This is a type of synthesis that grows as analysis itself progresses, particularly as a sequence of activity becomes evident. As the need for additional analytic tools and data sources continues to expand, these toolsets have expanded as well. Intelligence integration platforms such as Palantir or the open source Maltego often intersect with other forensic tools as well as with intelligence information beyond IT, as broader security interests cross paths with information security.

Another area where tools for operational insight have expanded is in the application of search to operational data exemplified by tools such as Splunk. As with flexible analytic toolsets, the advantage of search is that it frees analysts to build data syntheses on demand, according to the needs of a specific problem. It also enables the construction of ongoing data sets based on queries that can be constructed and saved as needed. Search is one aspect of the larger realm of data mining, which speaks to the value of data management, warehousing and retrieval in support of security priorities.

In security management, analysts need insight into realities of how resources are used, how they may be better allocated, and how to adapt to changing priorities. This may be vital not only to making the best use of limited resources, but also for strengthening the integration of security with areas such as IT operations and application development, as well as engaging executives and stakeholders throughout the business. Risk analysts may need tools to develop risk models or other insights that further inform these priorities.

This was implicit in my original vision for what I called “strategic risk management” some years ago. Today, the realm characterized as GRC is dominated more by the C, while the R is still in its early stages and is largely focused on issues such as vulnerability management. The limitations of current technology, however, suggest an opportunity for the realm of Business Intelligence (BI) to capitalize on a data-driven approach to strategic insight and security management.

It also raises a question: Where will security data synthesis go tomorrow? As these examples suggest, synthesis as it is today is often stovepiped in domains of event management, operational monitoring or management-focused analysis. This in itself introduces risks, particularly if management analysis strays too far from the realities of what is actually observed in the environment, or from the insight of peers or the community to raise awareness and maintain perspective.

Here again, the tools of data synthesis – as well as the lessons we may learn from the world of BI and data management – may help to show us a way forward. For example, Lyza integrates BI tools with a social networking platform to link data analysis with commentary and community insight. This gives analysts a way to share data synthesis with others within a structure that supports collaboration while protecting underlying data and enabling management of who can see what (capabilities that public agencies in particular may well value). The linkage of data analysis with commentary and collaboration also overcomes another barrier to data sharing, particularly for quantitative analysis, since numbers aren’t nearly as searchable as words. This sort of integration would provide a way for data analysts searching for particular types of findings to discover them more readily.

Conversely, security analysis platforms and their ability to recognize, render and visualize a range of data that includes malware executables or the ability to recognize threats hidden in seemingly innocuous content may fuel new innovation in BI, data management and data analytics for the integration of what may today seem like unconventional classes of data.

While the needs of security data synthesis will likely forge new integrations of analysis tools and data sources that break down today’s barriers to insight, this does not necessarily mean the emergence of a “superplatform.” Indeed, flexible toolkits and approaches that can be adapted to the needs of any specific requirement have already proven their popularity among enterprise data analysts and security professionals alike, given that the range and variety of approaches to data synthesis will likely remain as broad as the scope of interests they address.

It should be expected, however, that vendors in both security and data management that pursue these interests may well move toward incorporating a wider range of capabilities into their offerings, as the needs of a data-driven approach to security and risk insight help forge new directions – and reminding us of the role security has played in driving advances in information technology, going back to the origins of modern computing itself.