Security in 2013: The “Productization” of Big Data
In my last post, I noted that I expect intelligence and the coordination and integration of defense technologies to be key drivers of the IT security market in 2013. This is not just about some major vendors who have acknowledged their need for a wake-up call on these fronts. These are larger trends that are already influencing the direction of the market in multiple ways.
Over the last couple of years, I have written at length about one of these trends in particular: the rise of what I’ve been calling “data-driven” security. As the RSA Conference approaches, announcements will begin to emerge thick and fast from security vendors between now and late February. And as the trend toward a more intelligence-driven approach to security continues to accelerate, I expect those with a significant stake in data-driven security to be revealing their new initiatives in the next several weeks.
Among the most visible will be those who have focused their strategies and market messages on “security intelligence” or “security analytics” as product offerings. This includes some of the vendors most active in the Security Information and Event Management (SIEM) market – though this trend certainly isn’t limited to SIEM (as I’ll elaborate below). In particular, I expect some of these vendors to emphasize the role that Big Data will be playing in their directions this year.
This isn’t new, of course. Big Data was one of the most visible buzzwords at last year’s RSA Conference. What will be new this year will be the extent to which some of these vendors will be integrating – or announcing support for – data management platforms such as Hadoop and expanding their analytic capabilities.
Why Big Data in security products? As my colleague John Myers describes, Big Data may not always be big…but it is often complex. Designed for a distributed approach that leverages parallelism for better analytic performance of large or diverse bodies of data, platforms such as Hadoop and NoSQL environments exemplify a highly valued capability of modern data management techniques: the ability to ingest a wide variety of data with less need to force a particular schema on data at ingestion, or other strictures that make it difficult to make the most of the variety of data that security teams would pursue if they could. This ability to embrace data variety is one of the “three V’s” of big data that has particular appeal to security investigators and strategists alike: greater flexibility in discovering evidence that adversaries would prefer remain hidden in security-relevant data, as well as how and where security strategies can be optimized. The ability to unite analysis across silos of security data may be another promise of Big Data platforms that could yield new learnings often stifled by legacy approaches.
Product vendors who focus primarily on tools for enterprise security analysts and strategy managers are likely to be among the most visible making announcements this year, since these are the ones most likely to “productize” the integration of Big Data platforms with security data management. Many of these have their roots in SIEM and related markets such as log management, IT operations data management, and similar technologies. Others have focused on the administration of security and compliance efforts, such as so-called “GRC” (Governance, Risk Management and Compliance) tools. More recent entrants include those that provide security and forensic analysts, technical investigators and incident responders with deep and detailed evidence.
In many ways, the embrace of “Big Data” platforms is simply the next step in the evolution of these technologies, suggesting the likely hybrid approaches to integrating Big Data platforms with existing security data management that reflect the larger trend of hybrid data ecosystems described by my colleague Shawn Rogers. The potential of this trend could well take these vendors beyond their current boundaries, however, introducing new approaches to data-driven security that may in part arise from the breakdown of the silos that often isolate these product categories from each other.
Some of these vendors stand out, because of their present weight or disruptive influence in the enterprise market, and the bets they have made up to now in security as well as in data management and analytics. Most of these have either made allusions to the role of Big Data in their efforts before now, or have already announced support for, or integration with, platforms such as Hadoop and/or partnerships with highly visible companies in that world. Some examples:
Not surprisingly given EMC’s primary focus on enterprise storage and content management, the company’s RSA Security Division has been able to build a competitive security data management portfolio. From the deployability of the enVision SIEM product acquired with Network Intelligence in 2006, RSA has since added strength in GRC with Archer and in investigative platforms with NetWitness. These technologies complement the company’s assets in anti-fraud, intelligence and data security, as well as RSA’s long history in authentication, and its even longer history in encryption. Beyond the RSA Division, EMC’s investment in Greenplum exemplifies the company’s commitment to data warehousing and analytics. It is the NetWitness platform, however, that most visibly represents EMC/RSA’s commitment to investigative security analytics. Meanwhile, recent acquisitions such as Silver Tail Systems represent the company’s forward-thinking view of the value of analytics engaged in real-time defense. RSA executives have been very clear about the importance they attach to Big Data to the evolution of security. I expect this importance to become even more manifest this year.
HP retains a strong hold on the SIEM market as the owner of ArcSight (not to mention competing head-to-head against the likes of IBM in application and network security). But will HP see a priority need to integrate Hadoop or NoSQL platforms with security data management products? In the last several months, the company has emphasized performance in introducing ArcSight technologies such as the Correlation Optimized Retention and Retrieval Engine (“CORR-Engine”) which (as of mid-2012) touted 10-to-1 data compression and the ability to manage up to 45 terabytes of data per instance. Vertica, meanwhile, exemplifies HP’s current investment in data warehousing and Hadoop integration, while the company boasts a range of partners and services focused on Hadoop and Big Data. And in just the last few days, HP announced new services for security breach management and forensic readiness.
IBM is the largest overall product company to take a dominant role in security data management – and this is saying something for a company who, slightly more than a year ago, went from having little more than vestigial capabilities in product segments such as SIEM to owning one of the most dynamic rising stars in the field in Q1Labs. But IBM should keep – and hold – your interest for more than security. With the acquisitions of Netezza and Cognos and the emergence of its InfoSphere BigInsights platform, IBM’s larger strategy is squarely centered on data management and analytics at scale for the “smarter” enterprise. In addition, IBM has a strongly competitive Managed Security Services organization which, when combined with the high priority it places on research generally, arms the company with considerable depth in where and how to apply its capabilities. Examples of where research in data management and analytics are taking IBM go beyond the company’s most visible PR spokesperson – or more correctly, “spokesthing” – namely its Watson project, and include initiatives such as its InfoSphere Streams technology, which has provocative promise for the analysis of data in motion.
Splunk has become a disruptor in this field, taking the technologies of search into the realm of what it calls “operational intelligence” and opening new vistas in terms of flexibility in finding and using a wide variety of operational data in an intriguing diversity of use cases. It must be remembered that search, which is fundamental to Splunk’s success, and today’s emerging technologies for managing diverse data at scale, both arose from the same origins. Recently, this evolution has come full circle at Splunk, with the introduction of Splunk Hadoop Connect. Splunk has also introduced the Splunk App for Enterprise Security as part of its security strategy, challenging incumbents in the SIEM market and providing an alternative for organizations frustrated with products that seem forever to tantalize more than fulfill the promise of SIEM. Splunk’s capacity for disruption was amply evident in the company’s IPO this past spring, which raised over $3 billion on its first day. Though the stock has fluctuated since, it hit highs around the time of the company’s annual user conference in September when positive customer sentiment was in evidence (based on our own experience at Splunk .conf2012).
Of these four, EMC’s RSA Division excels in two areas where its competitors face significant challenges: the NetWitness investigative platform, and Archer for security and compliance management. RSA also has a well-developed portfolio of anti-fraud solutions that appeal to banks and financial services – now augmented with Silver Tail defenses for applying analytic techniques to fraud or application abuse detection in real time.
IBM, on the other hand, brings strength not only in SIEM with Q1Labs but in other aspects of security such as Web applications and network defense, while both IBM and RSA have somewhat different stakes in identity. More significant in the long run may be IBM’s business analytics and data management capabilities beyond security. This not only enhances the company’s credibility in the C-suite, it may also be significant to achieving an important goal of data-driven security: the objective identification and management of security priorities, and communicating the value and effectiveness of security measures to the business. Today, RSA can answer with strength in fraud intelligence and defense and a well-accepted platform for managing the administration of security and compliance efforts with Archer. In the future, however, EMC may have to go farther to demonstrate just how important head-to-head competition in analytics beyond security – or beyond Greenplum – will become. Meanwhile, both HP and IBM have much ground of their own to cover in order to become more directly competitive with both Archer and NetWitness, suggesting the opportunity for vendors such as AccessData and Solera Networks and the expertise of Mandiant.
With its ownership of ArcSight, long dominant in SIEM, HP has also faced significant challenges in the frustrations that many have expressed with security data product deployment, ongoing maintenance, and the limitations of legacy. Breaking down these limitations has been key to the success of SIEM disruptors such as NitroSecurity, whose acquisition by McAfee was announced at the same time as IBM’s of Q1Labs, and emerging leaders such as our neighbor here in Boulder, LogRhythm, which has introduced a highly usable and intuitive approach to security-relevant operational data in what it calls “multi-dimensional” analytics.
But technologies such as Hadoop hold promise beyond SIEM – and even within the realm of SIEM and log data as it is today, vendors such as Splunk and LogRhythm should be watched for what they can do that others cannot – or at least cannot do as well, or in the same way. The flexibility of the Splunk approach has not only led some to actually abandon their efforts to try and make the most of SIEM (as at least one Splunk customer eagerly described to us at .conf2012). It has also introduced a degree of freedom in data exploration that has – as recently as this past week – led more than one vendor to mention Splunk or “Splunk-like” capability in their analyst pitches. True, Splunk mastery may mean an investment in its distinctive techniques such as the Splunk search language – but this investment often yields significant returns when it unleashes flexibility that can be directed toward a very open-ended range of possibilities. Where Splunk could stand to benefit is in an increased investment in technologies such as data visualization.
Which suggests where future directions among all these contenders and others may lead. Each of these vendors has emphasized some degree of commitment to “Big Data” – but fundamentally, that means the management of data scale, speed or diversity. Where data-driven techniques may make an even greater impact is in the expansion of analytics that make evidence come alive. As the “backend” becomes more adept at velocity, volume and data variety, security analytics and data visualization will need to mature not only to communicate intelligence rapidly and effectively, but to free organizations from the dual challenges of finding and retaining both qualified security expertise and qualified data scientists – and neither role is particularly easy to fill today. Innovators such as Packetloop or PixlCloud may have a hand in showing the way forward, reflecting the success of those such as Datameer in broader analytic markets, while experts such as Mandiant continue to blaze trails in security investigation and data management through support for initiatives such as OpenIOC.
Longstanding security vendors such as McAfee, meanwhile, challenge incumbents with assets such as NitroSecurity. But vendors such as McAfee, Symantec and Trend Micro, as well as managed services powerhouses from Dell’s SecureWorks to Vigilant and vendors of “advanced threat defense” such as FireEye and Sourcefire, may be even more interesting for the directions in which they take their services that are “backended” by Big Data. Symantec, for example, did not articulate many specifics regarding future product directions in last week’s announcements of its new strategic focus – but one provocative hint that it did drop had to do with where it might take is current investments in security intelligence, possibly making them more directly available to enterprise customers. Consider as well the potential of vendors such as Akamai, whose visibility into application traffic worldwide give it a distinctive view into security. These suggest the strengths that all these vendors – who already collect enormous amounts of threat intelligence – can capitalize upon.
All of which should make for an interesting next few weeks in the runup to the RSA Conference, as the power – and value – of data and analytics continue to change the nature of security insight.
- Big goals for Big Data (networkworld.com)
- Security Analytics: Hype or Huge? (infosecprofessional.com)
- Five big data predictions for 2013 (strata.oreilly.com)
- HAWK Network Defense Joins Sourcefire’s Technology Partner Program (prweb.com)
- RSA is betting its future on Big Data (networkworld.com)
- Flying Under the Radar: Insurance Claims Fraud Detection (bigdata.pervasive.com)