Damn Data: Security Analytics & Big Data

There, I did it: I finally wrote a security blog with a reference to Internet sensation Damn Daniel. While I’m under no illusions that this blog will have the love/hate, viral impact of Daniel and his white Vans, there seems to be a love/hate relationship between organizations and their data. And that relationship is being tested like never before with the ever-growing adoption of big data.

I recently embarked on a one-week, five-state tour to visit our customers. While I don’t advise a schedule like that, it really paid off. I had the good fortune to speak with a number of security leaders across various industry verticals including pharmaceuticals, healthcare payers, civilian and defense government agencies, critical infrastructure and technology. All of them were talking about their “damn data.”

It isn’t that they don’t have enough data or that it isn’t stored in an easy-to-access format. In fact, batch and real-time data collection, storage and management seem to be solved issues. Most of these organizations have been engineering their big data solutions for at least a couple years, so those variables have become as ordinary as getting email to work on your mobile device.

Cloudera, for example, came up in many conversations. Many of our customers see Cloudera as the most efficient path to “time to value” and the most comprehensive solution when leveraging Hadoop as a data platform.

The “damn” really comes when security leaders are interested in running security analytics on big data lakes in a way that is at least on par with the performance and capabilities that can be realized by more traditional SQL or similar backend solutions, even though the data is likely to be much more voluminous.

In February of 2016, Securonix and Cloudera announced a partnership to solve this problem with a solution that integrates the power of Securonix security analytics with the speed, scale and storage of Hadoop in a single, out-of-the box solution. The result is SNYPR: a powerful security analytics solution that is purpose-built for big data organizations. SNYPR is predicated on the same value points as the original Securonix security analytics platform:

  • Reduced threat identification and remediation time
  • Improved ROI on existing security controls
  • Reduced level of effort with fewer FTE requirements
  • Business optimization across time to value, total cost of ownership and level of effort

In short, take the data collection capabilities that Securonix has always offered like integration with SIEM, log managers, cloud APIs, security products, applications, physical security devices, HR databases and so on. Add Securonix analytical and response capabilities such as user and entity behavioral analytics (UEBA), peer analysis, event rarity identification, identity correlation, robotic behavior detection, threat module enrichment, alerting and case management. Now, add the ability to mine big data with those same capabilities and the “damn data” becomes “damn useful.”

During our customer visits, we identified many of the capabilities security leaders in the trenches find useful:

  • Cost-effective data fault tolerance and longer-term storage
  • Analytics with intuitive user operation and visualizations including summaries and timelines to reduce analysis cycles
  • Advanced search capabilities that are fast, in fact, testing has shown that a query across 8.5 billion events can return 250,000 results in half a second
  • Searching with natural language support instead of having to learn yet another database query language increases usability
  • Content enrichment and the inclusion of both raw (original) data and enriched data for context maximization
    Parallelized, distributed processing and multiple subscriber support for scale and extensibility

The bottom-line that customers are finding is that by integrating the original security analytics power of Securonix atop the enhanced capabilities that are afforded by Hadoop, big data lakes can be minded to make a huge difference in improving security by performing analysis on more data.

What is User Entity and Behavior Analytics (UEBA)?
User and Entity Behavior Analytics
Five Insider Threat Profiles
Securonix for Insider Threat Detection & Response