Can big data nab network invaders?

The buzz in security circles about "big data" goes something like this: If the enterprise could only unite its security-related event data with a warehouse of business information, it could analyze this Big Data to catch intruders trying to steal sensitive information.

Background: 'Big Data' creating career opportunities for IT pros

Other News: Inside Apple's iPad world-wide ubiquity

This is the security angle to the Big Data hopes that are rising along with the popularity of vast big Data repositories, often based on the open-source scalable software Hadoop, being adopted in enterprises. This is leading to anticipation a new type of "data scientist" job will emerge in IT around Hadoop. Among security professionals and analysts, there's now talk that that Big Data will also lead to security-focused data scientists who will have the tools and knowledge to pinpoint attacks by stealthy intruders out to steal highly sensitive data.

Catching cyber-thieves in the act across sprawling networks has proven hard to do, and "Big Data" is offering new hope. But it is warranted?

Scott Crawford, analyst with consultancy Enterprise Management Associates, thinks so. "Statistical analysts will identify anomalies but not understand the security," he commented during an analysts panel at the recent RSA Conference in San Francisco on the topic of Big Data and how it could help security.

Crawford predicted eventually there will emerge "a market for security algorithms" for big data. He noted firms such as Red Lambda and Palantir are tackling this today in math-heavy analysis aimed at spotting anomalies.

The "bad" attacker intent on hiding is an anomaly to the generally "good" behavior of network users inside the network, behind which the attacker often hides, according to some. Today, stealthy attackers are getting past traditional defenses, such as intrusion-prevention systems, firewalls and anti-virus, pointed out Gartner analyst Neil MacDonald, who spoke about this during the RSA panel.

These devastating attacks to infiltrate and steal highly sensitive data, sometimes called advanced persistent threats (APT), are driven by human actors able to effectively hide their malevolent presence within networks. Today, says MacDonald, we just don't know what "goodness" and "badness" looks like in terms of network activity. "You have to know what goodness looks like" to understand "deviations from goodness," he points out.

Big Data is offering new possibilities for security analysis, which could mean that one type of security tool used today, security information and event management (SIEM), and tools like it that may not properly adhere to that genre, will have to evolve, analysts contend.

To some extent that has started already today, says MacDonald, pointing to RSA's threat-detection product NetWitness and the HP ArcSight SIM, among others. Some start-ups, including CrowdStrike, are claiming they will tackle the APT problem in new ways.

But will SIEM evolve to be able to process business-related big data or not? And is the whole idea that business data be added into more traditional SIEM data from a variety of firewalls, servers, IPS and the like to provide meaningful intelligence on an attacker simply a pleasant illusion?

"People can't get the answers they want from SIEM tools," said Forrester analyst John Kindervag. He said something new is going to have to happen, in which SIEM tools might be a part.

Of all the analysts on the RSA panel, Jon Oltsik with Enterprise Strategy Group, appeared the most skeptical that Big Data is going to be the answer to the APT problem.

"My fear is we'll capture more data and not know what to do with it," Oltsik commented. He said chief information security officers (CISO) in the enterprise today aren't sold on the idea that Big Data is going to somehow be a special boon to security. "When I talk to CISOs and ask about Big Data, they laugh," he commented.

Still, some early adopters of big data security approaches are hopeful.

Zions Bancorporation has set up a massive repository for proactively analyzing a combination of real-time security and business data in order to identify phishing attacks, prevent fraud and ward off hacker intrusions. Announced last October, it's based on the Zettaset Data Warehouse which makes use of Hadoop for data-intensive distributed applications. Preston Wood, chief security officer at Zions, has described it as a way to augment a SIM tool and look at massive amounts of historical business data for security purposes.

SIEM vendors, including NetIQ, say they know the buzz around big data and security is just beginning.

"This is where SIEM has to go," said Matt Ulmer, director of product management at NetIQ, maker of the SIEM called Sentinel. Ulmer said the industry is starting on a path to re-invent SIEM by incorporating business intelligence. Big Data could detect what's out of a normal pattern, says Ulmer, noting Sentinel 7.0 does incorporate more context for data.

"But how do you define the good?" Ulmer asked, pointing out an attacker "will take over an account, so the question is, is that the employee or the attacker?" He said stealthy attack actions may only pop up for a few seconds at most every day, so the goal is to define the trusted insider from the attacker. Big Data may be able to provide a lot of assistance in that.

But Ulmer adds that there appear to be many practical reasons why the big data concept for security is going to be faced with obstacles.

One practical obstacle is the current push to put enterprise data into cloud computing, which is making it harder for the traditional SIEM approach, which has been used on premises inside the enterprise network. Another obstacle is that security managers hopeful about Big Data will be in the position of drawing up data-management strategies and recommendations about something that remains very cutting-edge today. In an era where other corporate issues, such as whether to adopt "Bring Your Own Device" for mobile devices are already a big topic with management, adding big data could be a hard sell.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.