Turning to "big data" analytics techniques can improve security intelligence. But it cannot provide a complete picture of the security threats facing the enterprise.
According to a panel of experts at Infosecurity Europe, turning to data analytics tools to improve threat detection and alerts has the potential to make businesses more secure – but only if the data can be combined with other sources of intelligence, including those from outside the business.
IT security teams are able to access ever larger volumes of data, such as hardware systems, logs or alerts from tools such as data loss prevention systems. But often the volumes of data involved can make it hard to distinguish threats according to levels of severity.
Big data security intelligence – drawn from data analytics tools developed for other business purposes – can help. In particular, big data analytics tools can process large volumes of data quickly, which should enable a quicker and more effective security response.
But to do this, organisations need to overcome a number of barriers.
"There are two dimensions: the large quantities of data, and the quality of data," said Dragan Pendic, chief security architect at Diageo. "To do something meaningful, you need significant data quality, so you know what to break out. That is not different to what data analytics departments are doing," he pointed out. "But what drives quality is context." Putting a security alert into context allows the IT security team to understand the threat, and to marshal the right response.
"You can analyse for particular trends, and go down to very detailed levels," said Alex Booroff, head of information security, at Carphone Warehouse. "You can see whether a member of staff has swiped in to the building, and then ask if not, why their Active Directory account is in use."
Having access to more data can help to make more sense of the information coming out of security monitoring systems, suggested Jagdeep Bhambra, head of technology, Office of the CTO, Government Digital Services. "Before, you had an SOC that looked at the data in aggregate. We can now look at that at any level, from any machine that spit out data. That could turn many security models on their heads."
But, according to Calvin Dickinson, director of information security, operations, incident response and resilience, Amgen, there are also privacy issues. "What type of equipment and monitoring do you want to introduce? From a privacy point of view, it depends on what data you are holding. The key is to understand that."
And, although better security monitoring, and more powerful analytics, does help organisations need to look at big data security intelligence in the context of a less well-defined perimeter. "There is less activity on the network and more outside the perimeter," said Pendic. "You need something hybrid, that can look at [systems] on and off premise. Do you have a lens into cloud services. We now have more people using cloud services, than our using our network."