There is still an immense opportunity to use Big Data security analytics to fish out these attacks, but you canít just attach an engine on top of every piece of data thatís collected and expect it to miraculously extract intelligence. For an engine to be effective, it needs to focus not on the biggest data, but the most valuable.
The challenge for businesses is understanding that not all data is created equal and determining which feeds are truly important. There are three steps businesses can take to begin optimizing Big Data for analytical purposes.
Step 1: Understand the threat landscape
Businesses are logging every piece of IT data they can for both regulatory and forensic purposes, as they should. If something happens, organizations need to make sure they have access to all evidence to identify and rectify their vulnerabilities. But to protect against breaches, companies need to apply proper context to Big Data in order for it to be valuable. Most of the data thatís logged comes firewalls and intrusion protection systems (IPS) Ė but much of it is useless in flagging underlying or inside threats since modern attacks donít trip any firewall or IPS rules.
Data breaches are on the rise, and hackers are walking right through the front door undetected by using stolen employee credentials and impersonating users. The tools that hackers use, such as malware and social engineering tactics like phishing, are increasingly becoming more targeted and sophisticated to get around common cybersecurity defenses and give them access to valid credentials. Businesses are failing to detect this activity because hackers try a multitude of different methods until theyíre eventually successful.
You wonít find the security intelligence you need to identify evolving threats associated with these tactics in your firewall or IPS logs. Thatís not to say that data isnít important for forensic purposes Ė it is Ė but itís all noise from an analytics standpoint, triggering false positives that distract security teams from quickly identifying imposters on the network.
IT security has become more of a science in that you have to focus specifically on what matters by looking at the feeds where individuals access IT. And once hackers have used stolen credentials to breach the network, itís game over.
Step 2: Block out the noise to focus on the feeds that matter
IT security teams need to ask themselves which threats are most concerning that wonít be caught by prevention tools. These are the kinds of advanced threats that exist outside what is typically stopped by Web application firewalls (WAF). These technologies are obviously important to have Ė businesses should try as hard as possible to prevent credential theft Ė but this is not where the focus should be in terms of analytics purposes as they just contribute to the noise. To stop breaches before they take hold, businesses need to focus on the data feeds that point to how users are maneuvering within the IT environment in real time.
Take, for example, the 2012 attack on the South Carolina office of the IRS, which resulted in the exposure of more than 3.6 million Social Security Numbers and 387,000 credit and debit cards as a result of an employee who fell victim to a phishing attack and had his credentials compromised.