The new era of security intelligence

BigSecurityforBigData.jpgWhen you think of security intelligence or threat intelligence, do visions come to mind of FBI or CIA analysts, sitting in a room full of compute power and cool technology gadgets?  The world of information security intelligence – like that used by commercial enterprises to protect themselves – is becoming strangely similar to those visions of intelligence.  Given that hackers, hactivists and others are pulling corporations into this cyber warfare, it should not be surprising that security programs are relying more and more on intelligence to thwart their enemy attackers.

 

An analogy might be useful to better envision how such a scenario might work.  Let’s say I am an avid shopper at a big national retailer.  I shop there for everything from clothes, to food, to housewares, gifts and cards.  I often imagine that this retail buddy of mine knows more about me and what I like than my own mother.  The data resulting from a point of sale (POS) system includes my shopping habits: what time of day I shop (before/after work vs weekends), frequency of my trips, average purchase amount etc.  You might expect a retailer to have this level of information. 

 

With a little bit of analysis, meaning can be applied to the items I purchase to determine my rough age and sex, that of my children, type of pets, music and book tastes, favorite colors, and more.  How could they know this? They glean this level of knowledge by applying algorithms to my purchases that assess meaning and apply context to individual data points.  And by assessing this data over time, they can look for trends or patterns.  Am I (female, middle-aged, with teen children), beginning to substitute one product for another, or otherwise changing my purchases?  The granularity of insight becomes explosive!

 

Sharpening the focus with additional data

 

Now, if this retailer were to combine POS data with data from online shopping, they can also determine my shipping and billing addresses (more socio-economic demographics, also helpful in aggregate).  If I “Like” them on Facebook, or pin something on Pinterest, they may even begin to understand, and potentially tap into my social network.  Essentially, if I “Like” something from this retailer, I become an advertising agent – and although my reach is limited in breadth, it is much more credible and targeted to people (buyers) like myself.

 

How do information security professionals use these same tools?

 

Let’s look at how we would apply those same techniques to information security.  Hackers have specialized to obtain this type of information to craft “spear pfishing” attacks – highly targeted attacks that lure you into clicking a link or providing information through clever disguises or tricks.  Luckily, the good guys can use techniques similar to retailers, to identify potential attacks, even before they happen. 

 

The multitude of devices, users, and generated traffic all combine to create a proliferation of data that is being created with incredible volume, velocity and variety. As a result, organizations need a way to protect, utilize and gain real-time insight from events that spring from traditional IT environments, but also from mobile, social medial, cloud and Internet activities.  Harvesting insight from these ‘big data’ sources is key.  And often, they already have many of the tools needed – it’s just a matter of integrating them so they work together and properly applying use cases to solve problems that may be different than those for which they were deployed.  Two such tools are HP ArcSight and HP Autonomy. 

 

HP ArcSight is a traditional security tool, with its powerful CORR engine for correlating seemingly disparate security events.  It has some terrific capabilities that make it a leader among SIEM products. The recent whitepaper, “Big Security for Big Data” points out that it can detect more incidents, correlate more data (capacity), and more efficiently focus resources on exceptions than competitors.  And, HP ArcSight connectors collect, normalize and categorize log data making them more readily understood. Normalized logs are indexed and categorized to make it easy for a correlation engine to process and identify patterns based on heuristics and security rules. It is here where the art of combining logs from multiple sources and correlating events come together to help create real-time alerts. 

 

HP ArcSight Enterprise Security Manager (ESM) uses a heuristic analytics model to keep a baseline of activity from events received and monitors any increases in attack, target, protocol, or user activity using a percentage threshold.

It is the powerful correlation that is the foundation of this intelligence.

 

bigdata infographic.png

 

Now, add to that the correlation capability, meaning and context from the vastness of ‘big data’ – mobile, social medial, cloud and Internet activities.

 

HP Autonomy’s IDOL can supercharge ArcSight’s correlation by providing even more who, what and where context to correlate with more traditional security logs and events.  Social media is a common place for hackers to communicate and for people to express themselves – and their frustrations, their plans, their accomplishments (both good and bad).  It is also vastly unstructured.  That’s why HP Autonomy IDOL is such a perfect tool for making sense of this ‘big data’.  It can apply meaning, apply sentiment of the communique and identify patterns.  When combined with HP ArcSight’s CORR engine, these seemingly minute data points can provide context, greater insight, and further identify and vet potential threats. 

 

Check out the “Big Security for Big Data” white paper to find out more about how ArcSight provides a foundation to help you with Big Data.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation