Let’s accept this as a fact: your cyber defenses ARE going to be breached. Sony, Home Depot, Target, Anthem, the U.S. OPM – these are just some examples of the many data breaches that have made recent headlines. And it’s not for lack of investment. Millions upon millions of dollars are being spent on cyber security each year. In fact, some organizations are planning to spend half a billion annually!
The reason for these breaches is that attackers (and their attacks) continue to evolve. It’s naïve to think that intrusion detection system (IDS) signatures and SIEM rules will do much to thwart a sophisticated adversary. A new approach is needed, and that is big data security analytics (BDSA). A BDSA approach leverages big data, network and log data sources, machine learning, advanced statistical analysis, behavior analytics, forensics and more. Moreover, it’s no longer only about preventing these advanced attacks. One should assume that sophisticated hackers will find a way into a given system, so it’s very important to quickly detect attacks once they are on the inside, ensuring that the impact can be mitigated.
Data is fundamental to the effectiveness of this new approach, and I believe that organizations should leverage diverse data to get a holistic view of the attacks already on the inside. Using only a single data source provides a myopic view, which is insufficient given that varied data sources (e.g., logs, flows, packets, files, alerts, threat feeds) are readily available within the organization.
One type of data – packets – stands out above the others. Packets provide a record of everything that’s gone across the wire. It is not something that hackers can exploit, and is easily accessible via a TAP, SPAN port or packet broker. Other data types simply fall short. For example, consider logs. Logs provide an incomplete view of reality, and are highly dependent on the specific logging level that is enabled. Malware can modify logs, erasing any trace of what it’s done in a system. Additionally, corralling log data can be challenging since a number of different systems produce logs, and the responsibility of these systems fall to different departments (and if you’ve ever worked in a large organization, you know how difficult it is to get different departments to work together).
Big data security analytics that uses deep packet inspection (DPI) will allow you to make huge leaps towards quickly detecting advanced attacks. Big data provides distributed computing power at low cost, making advanced analytics and behavioral profiling on packets accessible to many more organizations. Packets can also be reassembled, providing access to the content – files, images, etc., and metadata can be extracted, providing rich input for behavioral analytics. The analysis of packet headers, which is often used by hackers in their attacks, enriches your security analytics. Big data also provides low cost storage, putting forensics within the reach of the masses. And we’re not just talking about network forensics, but a complete forensic trail that includes all other computed information –metadata, results of analytics on packets, etc., all of which can be available from one location, meaning no more having to search across multiple siloed systems.
Remember that data is your friend when trying to combat advanced attacks. There are a variety of available data sources, with varying levels of richness, but packets give you that extra edge. For example, with log data you may only see what URLs a browser accessed, however, with the addition of packet data you can also examine the content being exchanged. This provides crucial evidence as to whether an attack is underway.
Of course, at the end of the day, the type of data you use to defend against advanced attacks depends on the visibility levels you are comfortable with, and which data sources are most easily available. But given the richness of packet data, the relative ease with which it can be accessed and the value it contributes to user behavior analytics (UBA), packets stand out above all others. Hopefully any BDSA solution you choose to thwart advanced attacks will be flexible enough to use a broad variety of data sources, packets included.