Too many alerts with little to no context, is the state of today’s information security landscape. For example, it’s common for an enterprise who has been breached to have received an alert from a security tool, only to have it lost in the noise of many other threats coming in at the rate of hundreds per day. To add to the flurry of alerts, security threats are constantly changing and getting more complex due a changing and complex IT environment, making it difficult to map out a single attack across all of the different infrastructure touch points. And as security teams and tools get wise to the tactics, the threats will continue to evolve to thwart them.
The key is to develop a security analytics infrastructure facilitating data science techniques that can evolve as the threats evolve. Additionally, taking a Data Science approach to security threats aims to reduce the flurry of alerts, as well as provide more context to the alert so they can be prioritized, do more efficient root cause analysis, and be quickly resolved. This is the goal of Federation Security Analytics, as it combines the technology power of a Data Lake with proven Data Science applications to:
-See and understand everything happening in your environment
-Detect and prioritize the most advanced attacks, including long and slow attacks that happen over time
-Investigate and remediate incidents with unprecedented precision and speed
I spoke with RSA Senior Manager David Mitchell to discuss how Federation Security Analytics can better spot today’s attacks, plus provide an adaptable infrastructure to protect the organization as attacks evolve and become more sophisticated.
1. What are the biggest problems faced by Security Operations Centers and how does traditional SIEM fail to address these challenges?
Real threats today are more advanced and targeted, some aimed at locating specific information through an individual or use case. They are also constantly changing, targeting an environment that is not owned by the enterprise. Applications in the cloud, public networks, and mobile devices now contribute to threats outside a well-defined enterprise perimeter. The perimeter is now more porous; therefore, traditional SIEM tools that are signature or perimeter-based cannot effectively identify many of today’s attacks.
2. How does Big Data with Data Science change the game to address these problems more effectively?
It does two things – it allows you to collect everything through an engineered big data infrastructure and enrich this data to identify high-value, high-risk assets. Once you have determined what your high-value, high-risk assets are, you prioritize them and collect everything around those assets – logs, network packets, endpoint data, and more.
To spot an advanced threat or a threat that has not advertised itself (or an unknown threat), you cannot use traditional signature-based techniques since you cannot create a signature of a threat that has never existed before. Using security data science you can remove the hay in the environment, extract information that does not make sense, and flag it to determine if a threat is real. This approach can also reduce the flurry of alerts and false positives, and provides more context to the alert so they can be prioritized, have more efficient root cause analysis performed on them, and be quickly resolved.
3. What is Federation Security Analytics solution and what makes it unique?
Federation Security Analytics includes technology and expertise across RSA, Pivotal, and EMC II. It is unique in that it is not just a suggested architecture, but an engineered and field-tested solution that enables you to simultaneously collect required security data, analyze it, and create alerts. You can reliably collect all your data and send real-time alerts without being impacted by interacting with the data and vice versa. The solution is also packaged with services to install and configure in your environment by the RSA Global Services organization.
4. Can you describe a use case addressed by Federation Security Analytics?
The use of covert channel activity is one use case. These are long, advanced, persistent threats that are difficult to detect. It requires monitoring of inbound and outbound connections and being able to detect internal hosts with strange outbound communication patterns (beaconing) and spot those external hosts that are most likely to be compromised (high risk suspicious domains). Being able to detect beaconing and suspicious domains will then allow you to identify the source of the attack. From this point, analysts can immediately pivot to identify the users that are under attack. The method for uncovering covert channel activity or malicious behavior requires the collection and analysis of multiple pieces of data over an extended time period so you can identify normal behavior and apply a weighted probability risk score to all subsequent behaviors.
5. One of the biggest barriers to getting value from Big Data is the skills shortage. How does EMC address this issue?
Because this is an engineered solution, it removes the infrastructure skills necessary to architect a reliable, high-performing big data system that provides visibility to all of the data that is collected, analysis of both real-time and historical data, and generation of actionable results through real-time and long and slow alerting.
It also helps to remove up front security Data Science skills, as this solution also provides three security analytics applications or use cases using Data Science techniques out of the box. Through the community and security expertise from RSA, we will continue to develop and provide additional use cases to our customers. As threats continue to evolve, the enterprise can be better positioned to adapt to changes in threat strategy, as well as easily scale and modify its infrastructure without having to reinvent the solution.