Research

If you follow the security press, you know many predict that big data will transform information security. RSA recently released a security brief on security analytics with big data that mirrors the press. Depending on your perspective, security analytics with big data may be the concept that we’ll leverage big data clusters for actionable intel in coming years. Or if you talk to SIEM vendors who run on top of NoSQL repositories, the future has been here for 5 years. You may go with “none of the above”. To me it is simply a good idea that has yet to be fully implemented, which is currently just something we talk about in the security echo chamber. But that did not stop me from enjoying the paper. And I don’t say that about most vendor-led research. Most of it makes me angry, to the point where I avoid writing about it to avoid saying really nasty things in public, which should not be printed. But I want to make a couple comments on the assumptions here – specifically, “Big data’s new role in security comes at a time time when organizations confront un-precedented risk arising from two conditions:”, which implies a connection to both security concerns and the need for big data analytics. I think that link is tenuous, and serves their premise poorly. The dissolving perimeter has little or nothing to do with security analytics with big data. The “dissolving perimeter” became a topic for discussion because third-party cloud services, combined with mobile devices, have destroyed the security value of the corporate IT ‘perimeter’. The ‘edge’ of the network now has so many holes that it no longer forms a discernible boundary between inside and outside. We do, however – given the number of servers, services, and mobile computing platforms (all programmed to deliver event data) get a wealth of constantly generated information. Cheap computing resources, coupled with nearly free analytics tools, make storage and processing of this data newly feasible. And do you think we have more sophisticated adversaries? APT is one argument for this idea, but I tend to think we have more determined adversaries. Given the increasing complexity of IT systems, there seems to be plentiful “low-hanging fruit” – accessible security vulnerabilities for attackers to take advantage of. We have evidence that some security measures are really working – Jeremiah Grossman discussed how this is shifting attacker tactics. Many attacks are not so sophisticated, but still hard to detect. I think the link to big data and attackers appears when you couple the complexity of IT environments with the staggering volume of data, and it becomes very difficult to find the proverbial needle in the haystack. The good news is that this is exactly the type of outlier big data can detect – provided it’s programmed to do so. But ultimately I agree with their assertions, albeit for slightly different reasons. I have every confidence that big data holds promise for security intelligence, both because I have witnessed attacker behavior captured in event data just waiting to be pulled out, and because I have also seen miraculous ideas sprout from people just playing around with database queries. In the same way hackers stumble on vulnerabilities while playing with protocols, engineers stumble on interesting data just by asking the same question (query) different ways. The data holds promise. The mining of most data, and all of the work that will be required in writing M-R scripts to locate actionable intelligence, is not yet here. It will take years of dedicated work – and it’s will take script development on different data types for different NoSQL varieties. Finally, I like the helpful graphic differentiating passive vs. active inputs. I also really like Amit Yoran’s commentary; he is dead on target. The need to aggregate, normalize, and correlate in advance can go away when you move to big data repositories. It’s ironic, but you can get better intelligence faster when you do not pre-process the data. It may smell a bit like forecasts and new year’s predictions, but the paper is worth a read. Share:

It started out great. Fantastic even. The Dome was fired up. The team started fast. Field goal. Forced punt. Matty Ice throws a pick. Then the Falcons force a fumble and get the ball back. Touchdown. Forced punt. Field goal. 13-0. Red zone stop on a huge 4th and 1. Touchdown on a bomb. Huge sack to end the half. The Falcons were up 20-0. This was it. The year they finally exorcise the playoff demons. We all cheered for the kids showing off their football prowess during halftime as national Punt, Pass & Kick finalists. Then the second half started. Seattle drives down and scores. Then the Falcons respond with a 7+ minute drive to go up 27-7 when the 3rd quarter ends. The crowd goes bonkers. Only one team has blown a 20+ point lead in the playoffs at this point in the game. Elation sets in. It’s over. Until it’s not. Bad tackling. Mental lapses. A tight end playing on a ripped-up foot keeps making huge catches over the middle. Seattle scores. 27-14. Matt Ryan throws a pick. Seahawks drive down the field again. Touchdown Seattle. Cover that guy! 27-21. Oh crap. Now is the time. Make a play, offense. Get some first downs, burn up some clock and get this done. Come on, man! 3 and out. Falcons punt. This is not good. You can feel the tension in the Dome. All the negative thoughts creep in. All the playoff failures. How could they choke? How could they?!?!? Falcons force a punt. OK. It’s under control now. Just a few first downs and it’s over. 3 and out. Again. Seahawks have the ball back. 5:32 left. Seahawks driving again. They are on the Falcons 3. They score. Falcons are down 28-27. WTF? This would be the choke to end all chokes. We were stunned. The Dome was in shock. 31 seconds left. How could it end like this? Again? So disappointed. So so disappointed. Sure it was a good season, but another one and done in the playoffs and it’s going to set this franchise back years. Unbelievable. It’s only a football game, but it sure doesn’t feel that way. The Falcons get the ball back with 31 seconds on the clock. They need 40 yards to get into field goal range. First pass goes for 22 to a receiver named Harry D. Could they? Dare we have hope? The odds are long and they’ve done it before, but not with a berth in the NFC Championship at stake. 19 seconds. Another pass goes for 19 more yards to 36 year old Tony Gonzalez, a sure fire first ballot Hall of Famer who has never won a playoff game. Ever. They’re in field goal range. They set up the kick. I can’t breathe. Literally. No one can. This is it. The Boss squeezes my hand. The kick is up. The kick is good. HOLY CRAP. We scream. We hug. We embrace people we don’t even know. We scream some more. We jump up and down. You can’t hear anything because everyone is screaming. I give the Boss a huge hug. I mean huge. Instant elation emerges out of the depths of despair. It doesn’t get better than this. But it’s not over. There are still 8 seconds left. Seattle gets the ball back in good field position due to a muffed squib kick. A short pass. 2 seconds. Seattle is on the 50. Hail Mary time. The pass is in the air. The Dome holds its breath some more. The Falcons’ Julio Jones comes down with the ball. It’s finally over. Playoff demons vanquished. We just rode a 3.5 hour emotional roller coaster. A pretty high high. Then a very low low. Then the best moment in any football game I’ve ever experienced. I had emotional whiplash. I was nauseous. I was exhausted. My whole body hurt. My voice was gone. And I can’t wait until next Sunday to do it again. Rise up Falcons. It’s time. –Mike Photo credits: Buddha in Neck Brace originally uploaded by bixentro Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services The Solution Space Introduction Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Control via cloud: A lot of people focus on cloud computing as a security risk, but few look upon it as a security control. I suspect this is due to its newness – anything that disrupts our current models is nearly always seen as a risk to defenders at first. But as this article at cloudave.com points out, the cloud can play an awesome role in improving security. Specifically, if you adopt Platform as a Service for your application environment, you expand your security control scope, gaining the ability to enforce development standards be eliminating the variability of platform configurations. All the apps now run on a pre-configured platform, and there just isn’t much opportunity to screw it up. Plus you can enforce other code standards and practices based on the interfaces exposed via centralized platform management. Since it is faster and easier to use the PaaS, you aren’t fighting the developers. Sweet, eh? – RM Guessing for dollars: Does anyone really believe that the market for financial critical infrastructure security will reach $17 BILLION by 2017? Even if you could pin down what “financial critical infrastructure” even meant, and thought that you could estimate the portion of those dollars going to security products or services, do you really think you could extrapolate the amount 5 years out?