Many of us have had a dream that involves standing in front of an audience only to discover that we forgot what we were going to say…resulting in a rude awakening.
Increasingly, network security analysts are seeing something a lot like this dream played out by CISOs (Chief Information Security Officers) being rudely awakened to the realization that they are exposed in an entirely different way.
2013 and 2014 have seen an unprecedented growth in the number of security breaches enabled by “low and slow” attacks against companies involving carefully crafted strategies aimed specifically at those organizations. These penetrations have typically gone undetected by the vast majority of security tooling on the market today, leaving CISOs wondering exactly when – not if – the next breach will hit their employer.
Historically, Security Information and Event Management (“SIEM”) tools evolved out of the need to assess the enterprise’s security posture at any given time. They function by harvesting security-relevant events from log data created by a wide variety of network-resident sources such as firewalls, intrusion detection and prevention systems, operating systems, antivirus programs, web proxy devices and applications of all shapes and sizes. With a relational database as a backing store, SIEM solutions typically have a hard limit on the volume and variety of data that can be stored and subsequently analyzed, forcing network security personnel to make difficult decisions around which sources to analyze vs. which ones to ignore…in the hope that the “bad stuff” shows up in the sources they’ve chosen to analyze in the SIEM. The commonly cited statistic is that 95% of network traffic is normal and appropriate to the business, but the other 5% represents a significant risk to security. The hope of most security organizations is that the dangerous 5% is represented in the security logs they can afford to store and subsequently analyze.
And that was before the unprecedented growth in the quantity and variety of wireless sensors (smart phones, tablets, badge scanners amongst them) made an already unworkable system buckle under the stress of “too much data,” making it nearly impossible for enterprises to detect sophisticated low-and-slow attacks. Such attacks (once limited to well-crafted but generic “worms” designed to evade standard countermeasures) are increasingly custom-designed to penetrate specific organizations and often leverage insider knowledge, allowing targeted silos of sensitive data to be “phoned home” after a lengthy hibernation period, one that exceeds the storage windows of typical SIEM solutions.
The rise of Hadoop as a highly scalable, cost-effective data store for security log data is one of the bright spots in this otherwise bleak scenario. (Hadoop, after all, was originally designed to store and analyze log data in order to make it easier to manage large farms of web servers). Storing months – if not years – of security log data in Hadoop enables enterprises to establish a cost-effective, accurate baseline of what is considered normal network behavior for any given endpoint, making it much easier to identify abnormal behavior indicative of an attack about to happen – or one that has already happened.
And this is why MapR and Platfora have chosen to go to market with a combined security analytics offer. With its built-in capability to leverage the industry-standard NFS protocol, MapR makes ingesting data into Hadoop as simple as “mount and copy” – no complex ingest architectures need be designed and deployed, enabling enterprises to immediately realize results. With security solutions, time-to-market is especially critical, and this uniquely architected capability is a significant enabler.
Platfora, for its part, enables security log data to be quickly correlated, analyzed, and visualized – all within a workflow driven by the security analyst, requiring neither complex coding nor IT facilitation. This approach avoids the lengthy back-and-forth seen with traditional Business Intelligence solutions wherein any new data requiring analysis needs to be vetted through a complex change-control process requiring months to complete. Enterprises can quickly spot the “dangerous 5%” thanks to Platfora’s capability to correlate differently-structured data stored in Hadoop – unusual combinations of behavior not seen in the previous months are visually identified and easily explored.
The combination of Platfora and MapR enables organizations to immediately understand when an internal endpoint not typically connecting to external sites has communicated with a foreign site (located, say, in China) via a network port associated with a particularly virulent inborn threat. Being able to pinpoint these “dangerous liaisons” makes it possible to prevent the full threat from being realized. All too often, this initial suspect communication is followed by a subsequent conversation with a different site – say, in Russia – where credit card or other sensitive data gets handed off to the bad guys – permanently poisoning the enterprise’s brand in the marketplace. Early detection is the key to preventing catastrophic loss.
Platfora and MapR have packaged their respective solutions into a cost-effective, pre-integrated solution, enabling an easy-to-consume, easy-to-deploy solution offering immediate return on investment. Together, we can make those awful dreams a thing of the past. Contact Platfora or MapR for specifics.