The Best View

Written by

If analysis technology is the next trend, how is it being deployed? Dan Raywood talks to Gigamon’s Marshall Wolfe about his deployment and what he feels he gets from it.

If user behavior analytics, machine learning and even artificial intelligence are the direction that security is taking, how are they actually being deployed and used? 

Brian Kelly is chief security officer of Rackspace. He told Infosecurity that he did not believe that a new wave of technology was imminent. “The Holy Grail used to be full packet capture, now we say ‘why’, as can we derive the same value with metadata and collecting everything, and we need data scientists to resolve this,” he said.

Kelly claimed that old technology is often flawed and there are elements of future state architecture being driven by cloud, and as users migrate from a client server and the “hierarchical driven model that we have today”, and move towards a more distributed principle where the controls are removed from the network and we put controls outside the stack and outside the operating system and closer to the workload, there will be better controls and better contextual awareness where they can talk to each other.

“So think of future state, I think that is where we are now but I think to manage that kind of environment we have to solve some of the analytics issues as we are dealing with a lot more data in real time or near real time,” he said. “So we have got to be a lot more sophisticated with our behavioral analytics and all of our data models to allow the distributed model to work quickly and effectively.”

I also spoke with Marshall Wolfe, senior IT officer for the networking company Gigamon. Joining the company in October 2014, he adopted a strategy to have best-in-class preventative security, augmented with the ability to detect an attacker as quickly as possible.

By establishing ongoing profiles of all users and network devices, Gigamon has a “known good” model for network and endpoint activity. From this, they can find anomalies that are indicative of an attack. 

“Gigamon taps every ingress and egress point across the world and brings data to a central spot in our headquarters,” he said. “We get the speed and reaction we need to control security.”

He explained that this area of technology is moving pretty fast as “there is a new company coming up every five minutes it seems”, and analysis of these companies led him to opt for LightCyber technology. “Others were bothersome in terms of sending data to another site, and others were operationally difficult or we could not get customer support, and with LightCyber we get huge support as a customer. They have got a great team of people and for me this is the big differentiator, and not just keeping up with technology,” he said.

Wolfe’s team is relatively small and doesn’t permit him to spend a lot of time and labor on analysis, and he said that what he needed was “a tool like LightCyber that slaps you across the face with what is potentially wrong and what you need to act on now.”

He said: “On a daily basis, all we can attack is what LightCyber refers to as confirmed threats, and remediate immediately and as we go through we have time to figure out what is needed and accepted, as unverified pieces are coming up as suspicious and we don’t have time to look at those in a small team.”

“We all receive all of the alerts constantly, and that is what we determine upon and triage to do. If there are attacks going on, this shows us everything and we can determine what to work on with list of things remediated.” 

I asked him if the deep-dive technologies were more usable, and Wolfe said that if he had a choice he would not bother with endpoints as they cause more problems than they solve, as today’s consumer systems use Mac and Linux, and the different platforms are hard to work with.

“The world has got to turn towards behavioral analytics, profiling and trying to separate profiling from the network, endpoint and user; they are the same in conjunction from user to network and destination, and to see it graphically and figure out what is new and what cannot be explained and the ability to dig down is fantastic,” he added.

“We are all looking at the same data and Amazon Web Services will be the next great victory versus on-premise or cloud, as visibility has not been great from a network perspective and this is an area we will be attacking in the coming months."

What’s hot on Infosecurity Magazine?