Data-Driven Security: What (and What Not) to Look For at RSA 2012
One of the major themes that will stand out at RSA next week revolves around the trend I’ve been following closely over the last several months: the evolution of security centered on a data-driven approach. There will be many opportunities for you to learn and benefit from this trend that is having an impact on the industry as a whole…provided you keep a few things in mind.
First and foremost:
Data-driven security isn’t just about SIEM, security operations, or “Big Data”:
- Data need not be “big” to have a positive impact on security. (And “big” doesn’t always mean volume alone.)
- Data-driven techniques are influencing a lot more than security information and event management platforms for the enterprise. (Catch up on my overview of the trend as a whole here.)
- “Operations” doesn’t just mean the SOC. The goal of security automation, for example, may well depend on better integrating security data into IT operations management at scale. (If you don’t believe me, ask former Orbitz CISO Ed Bellis, now CEO of HoneyApps.)
- And if it’s true that security ops teams are already too overwhelmed to take advantage of evolving data-driven approaches, how do they expect to get a better handle on where their priorities would best be focused? Or are we condemned to perpetual water-treading (when we’re not sinking outright)? If not, what is the way forward?
In recent days, no one has put forward an answer to that last question more forcefully and convincingly than Ben Sapiro, in this post at Liquidmatrix. By identifying how and where a data-driven approach is central to, as Ben puts it, “build[ing] powerful new techniques and practices for our profession,” this voice adds to those I’ve been following over the last several months that highlight how evidence and insight may help us do what compliance, fear or guesswork has failed to do for us up to now.
So we’re not there yet. Then isn’t it high time we started on the journey?
This, then, is the opportunity I see at this year’s RSA, in spite of the noise. In many respects, this is a year of early exploration and pioneering experience that won’t come again in infosec, so no better time than the present. As Ben describes in the Liquidmatrix post, “I think we are, as [Dan] Geer so eloquently puts it, ‘… at a cross roads, an inflection point’ and now is a great time to build…”
Keep in mind that:
- For as much as data-driven techniques are changing the nature of security data management within the enterprise, they are also are influencing the evolution of the tactics of defense that will find their way into a much larger breadth of organizations. (Indeed, considering the volume of information vendors and service providers must manage across multiple customers, they may be the greatest beneficiaries of the trend.) RSA attendees should therefore look for these distinctions in conference sessions and vendor pitches.
- When data management within the enterprise is a priority, organizations should evaluate where they could do better with mature technologies where expertise and support are well established.
- Regardless, many will have wrung as much out of their legacy techniques as they can. Those considering new alternatives for massively parallel data processing should arm themselves with information about where to turn next. In particular, they should be clear about their objectives, the nature of emerging technologies that can help, the requirements they’ll be taking on if they consider new platforms for security data management, and suppliers who recognize the limitations of emerging tools and can provide an enterprise-class approach with better support than a “science project.” (There will be a session in which an enterprise that has succeeded with Hadoop for security data warehousing will be sharing their experience – see below.)
Your organization may not yet be ready to make any new commitments in any of these areas. In many cases, that’s more than justified, particularly considering the relative immaturity of some emerging technologies, or the impact significant changes would have on existing operations.
That’s just fine. Go and learn regardless, so that you can discover where – or if – a data-driven approach may best (or better) help you. Bear in mind that some of your preferred suppliers may already be moving in this direction with the products and services you already use. If you’re a customer of cloud-based or managed security services that often deliver new capabilities with high transparence, you may benefit in some cases without additional investment or effort on your part.
Here are some sessions that may help:
- I am personally looking forward very much to a panel I’ll be moderating on Monday at 3:30 PM at Mini Metricon 6.5, “Data Mining Methods for Enterprise-Level Security.” We’ve assembled a diverse group representing enterprises, vendors and service providers with a wide range of interests, data sources, and early experience. The Metricon community as a whole has been a pioneer of this trend, and I expect to see more than a few attendees who I know are advancing data-centric techniques.
- I’ll also be participating on a panel on “Managing Advanced Security Problems Using Big Data Analytics” at 8 AM Thursday (Session SPO1-301), where we’ll be discussing what’s different about such an approach (hint: the technologies of massively parallel data processing aren’t just about huge data repositories. They are a collection of tools that continues to expand – and as with any emerging technology, they come with their own set of security issues that vendors are beginning to address). We’ll also consider when and where such techniques may be warranted, and whether enterprises can benefit as well as vendors and service providers that manage data at speed and scale.
- If you’re interested in learning how such an approach is being applied today (yes, today) in the enterprise, the Zions Bancorporation team will be following us on Thursday to talk about their experience in security data warehousing using Hadoop “for long term large-scale security, fraud and forensic related analytics”: Session TECH-303, “Security Data Deluge—Zions Bank’s Hadoop Based Security Data Warehouse,” Thursday at 10:40 AM.
- For a look at how Big Data techniques are changing the nature of security products and services, check out Session DAS-108: “Big Data and Security: The Rules Have Changed,” Tuesday, 3:50-5:00, where a vendor (Sourcefire) and a service provider (Perimeter e-Security) will discuss how these trends are influencing their strategies.
- Be looking for the impact of data-driven approaches at Innovation Sandbox, 1-6 PM on Monday afternoon.
- Tuesday at Noon: Special Forum on the Future of Cyber Security and Active Defense: Check out the abstract: “Active defense…emphasizes real-time information, broader situational awareness, and speed…Compare this kind of system to the widely used and disaggregated, enterprise-level approach.”
- Wednesday, 9:30-10:20 AM: Session GRC-202: “Adversary ROI: Why spend $40B Developing It, When You Can Steal It for $1M?” Don’t let the catchy title distract from the focus of this session on shifting attention to better understanding why adversaries focus on what they do, and where organizations may be well advised adjust their strategies accordingly. (For a similar, data-centric analysis, see this article that appeared in the November/December 2011 issue of IEEE Security and Privacy.)
- Also Wednesday at 9:30: Session SECT-202: “CXO Perspective on Addressing Cyber Threats and Opportunities”: One of the topics to be addressed include “information sharing (obstacles, liability concerns)”.
- Sessions devoted to monitoring topics include “Optimizing Security for Situational Awareness” (SPO1-106, Tuesday at 1:10), “Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats” (TECH-107, Tuesday at 2:40) and “From the Bottom to the Top: The Evolution of Application Monitoring” (SPO1-202, Wednesday at 9:30)
And don’t forget the non-cons surrounding RSA. In addition to Mini Metricon, BSidesSF will also feature an informative and always engaging lineup of speakers, including some who may not be so in-your-face about data-driven techniques as you may see across the street, but whose experience will likely benefit anyone seeking to learn more about this trend.
Some BSides talks along this line:
- “Hacking the Bank: Figuring out what the cost of hacks may be” (Gillis Jones, Monday 2-3 PM)
- “Building your Own Zombie Horde: Dynamic Web Scanning at Massive Scale” (Erik Peterson, Monday 3-4 PM)
- “Metrics that Don’t Suck: A New Way to Measure Security Effectiveness” (Dr. Mike Lloyd, Monday 4-5 PM)
- “The End of Security Stupidity” (Amit Yoran, Kevin Mandia, Ron Gula and Rolan Cloutier, Tuesday 11-12)
And a few BSides talks where a data- or intelligence-driven approach may not be front-and-center, but which seem likely to provoke your thinking regardless:
- “Playing to Win: Designing Protection Based on Mob Rules” (Matt Stern, Monday 10-11 AM. I would expect more goodness on a practical approach to adversarial thinking.)
- “We are Handling Security the Wrong Way” (Brett Hardin, 1-2 PM Monday)
- “Fundamental Flaws in Security Thinking” (Martin McKeay, Tuesday 1-2 PM)
- “I can read your mind” (Will Tarkington, Tuesday 4-5 PM)