Federation Security Analytics: A Data Science Approach

Too many alerts with little to no context, is the state of today’s information security landscape. For example, it’s common for an enterprise who has been breached to have received an alert from a security tool, only to have it lost in the noise of many other threats coming in at the rate of hundreds per day. To add to the flurry of alerts, security threats are constantly changing and getting more complex due a changing and complex IT environment, making it difficult to map out a single attack across all of the different infrastructure touch points. And as security teams and tools get wise to the tactics, the threats will continue to evolve to thwart them.

The key is to develop a security analytics infrastructure facilitating data science techniques that can evolve as the threats evolve. Additionally, taking a Data Science approach to security threats aims to reduce the flurry of alerts, as well as provide more context to the alert so they can be prioritized, do more efficient root cause analysis, and be quickly resolved. This is the goal of Federation Security Analytics, as it combines the technology power of a Data Lake with proven Data Science applications to:

-See and understand everything happening in your environment

-Detect and prioritize the most advanced attacks, including long and slow attacks that happen over time

-Investigate and remediate incidents with unprecedented precision and speed

federation_sa

I spoke with RSA Senior Manager David Mitchell to discuss how Federation Security Analytics can better spot today’s attacks, plus provide an adaptable infrastructure to protect the organization as attacks evolve and become more sophisticated.

1.  What are the biggest problems faced by Security Operations Centers and how does traditional SIEM fail to address these challenges?

Real threats today are more advanced and targeted, some aimed at locating specific information through an individual or use case. They are also constantly changing, targeting an environment that is not owned by the enterprise. Applications in the cloud, public networks, and mobile devices now contribute to threats outside a well-defined enterprise perimeter. The perimeter is now more porous; therefore, traditional SIEM tools that are signature or perimeter-based cannot effectively identify many of today’s attacks.

2.  How does Big Data with Data Science change the game to address these problems more effectively?

It does two things – it allows you to collect everything through an engineered big data infrastructure and enrich this data to identify high-value, high-risk assets. Once you have determined what your high-value, high-risk assets are, you prioritize them and collect everything around those assets – logs, network packets, endpoint data, and more.

To spot an advanced threat or a threat that has not advertised itself (or an unknown threat), you cannot use traditional signature-based techniques since you cannot create a signature of a threat that has never existed before. Using security data science you can remove the hay in the environment, extract information that does not make sense, and flag it to determine if a threat is real. This approach can also reduce the flurry of alerts and false positives, and provides more context to the alert so they can be prioritized, have more efficient root cause analysis performed on them, and be quickly resolved.

3.  What is Federation Security Analytics solution and what makes it unique?

Federation Security Analytics includes technology and expertise across RSA, Pivotal, and EMC II. It is unique in that it is not just a suggested architecture, but an engineered and field-tested solution that enables you to simultaneously collect required security data, analyze it, and create alerts. You can reliably collect all your data and send real-time alerts without being impacted by interacting with the data and vice versa.  The solution is also packaged with services to install and configure in your environment by the RSA Global Services organization.

4.  Can you describe a use case addressed by Federation Security Analytics?

The use of covert channel activity is one use case. These are long, advanced, persistent threats that are difficult to detect. It requires monitoring of inbound and outbound connections and being able to detect internal hosts with strange outbound communication patterns (beaconing) and spot those external hosts that are most likely to be compromised (high risk suspicious domains). Being able to detect beaconing and suspicious domains will then allow you to identify the source of the attack. From this point, analysts can immediately pivot to identify the users that are under attack. The method for uncovering covert channel activity or malicious behavior requires the collection and analysis of multiple pieces of data over an extended time period so you can identify normal behavior and apply a weighted probability risk score to all subsequent behaviors.

5.  One of the biggest barriers to getting value from Big Data is the skills shortage. How does EMC address this issue?

Because this is an engineered solution, it removes the infrastructure skills necessary to architect a reliable, high-performing big data system that provides visibility to all of the data that is collected, analysis of both real-time and historical data, and generation of actionable results through real-time and long and slow alerting.

It also helps to remove up front security Data Science skills, as this solution also provides three security analytics applications or use cases using Data Science techniques out of the box. Through the community and security expertise from RSA, we will continue to develop and provide additional use cases to our customers. As threats continue to evolve, the enterprise can be better positioned to adapt to changes in threat strategy, as well as easily scale and modify its infrastructure without having to reinvent the solution.

All Paths Lead To A Federation Data Lake

Is your organization constrained by 2nd platform data warehouse technologies with limited or no budget to move forward towards 3rd platform agile technologies such as a Data Lake? As an EMC customer you have the advantage of leveraging existing EMC investments to develop a Federation Data Lake at minimal cost. Additionally, the Federation Data Lake will generate healthy returns, as it is packaged up with the expertise needed to immediately execute on data lake uses cases such as data warehouse ETL offloading and archiving.

Data Lake

With the release of William Schmarzo’s Five Tactics to Modernize Your Existing Data Warehouse, I wanted to explore whether the Dean of Big Data views data warehouse modernization tactics or paths ultimately leading to a Federation Data Lake.

1.  What is a Data Lake and who should care?

Continue reading

Cloudera Enterprise and EMC Isilon: Filling In The Hadoop Gaps

As Hadoop becomes the central component of enterprise data architectures, the open source community and technology vendors have built a large Big Data ecosystem of Hadoop platform capabilities to fill in the gaps of enterprise application requirements. For data processing, we have seen MapReduce batch processing being supplemented with additional data processing techniques such as Apache Hive, Apache Solr, and Apache Spark to fill in the gaps for SQL access, search, and streaming.  For data storage, direct attached storage (DAS) has been the common deployment configuration for Hadoop; however, the market is now looking to supplement DAS deployment with enterprise storage. Why take this approach? Organizations can HDFS enable valuable data already managed in enterprise storage without having to copy or move this data to a separate Hadoop DAS environment.

Cloudera

As a leader in enterprise storage, EMC has partnered with Hadoop vendors such as Cloudera to ensure customers can fill in the Hadoop gaps through HDFS enabled storage such as EMC Isilon. In addition to providing data protection, efficient storage utilization, and ease of import/export through multi-protocol support, EMC Isilon and Cloudera together allow organizations to quickly and easily take on new, analytic workloads.   With the announcement of Cloudera Enterprise certified with EMC Isilon for HDFS storage, I wanted to take the opportunity to speak with Cloudera’s Chief Strategy Officer Mike Olson about the partnership and how he sees the Hadoop ecosystem evolving over the next several years.

1.  The industry has different terminologies for enterprise data architectures centered around Hadoop. EMC refers to this next generation data architecture as a Data Lake and Cloudera as Enterprise Data Hub. What is the common thread?

Continue reading

Big Data Pains & Gains From A Real Life CIO

What does it take to make CIO Magazine’s Top 100 List? Big Data victory is one of them.
Michael Cucchi, Sr Director of Product Maketing at Pivotal, had the privilege to speak with one of the winners – EMC CIO Vic Bhagat. Discussing the pains and gains of EMC’s Big Data initiative, I have put together a summary of this interview below.  EMC IT’s approach to Big Data is exactly what the EVP Federation enables organizations to do – first collect any and all data in a Data Lake, deploy the right analytic tool that your people know how to use to analyze the data, and finally learn agile development so you can take those insights and build applications rapidly.

1. Why is Big Data important to your business?

Continue reading