Big Data Security Analytics

For the last few decades, security teams have taken a “point product” and best-of-breed approach to securing their environments.  Although historically this approach has been considered a best practice and has served organizations fairly well, the current state of malware and the sophistication of bad actors have changed the game.  There is no question that tools like firewalls, anti-virus, intrusion detection/intrusion prevention (IDS/IPS), Security Information Event Management (SIEM), Network Access Control (NAC), Deep Packet Inspection (DPI), Packet Sniffers, Data Leakage Protection (DLP) and many others are requirements for an effective defense in depth approach.  Furthermore, the systems most organizations have put in place today are inadequate for preventing security breaches.  Over the last several years, there has been a steady stream of high profile breaches, with the latest being Yahoo’s loss of 1 billion account records.  I recently read an article that defined five factors for evaluating big data security analytics platforms:

• Unified Data Management Platform
• Support for Multiple Data Types
• Scalable Data Ingestion
• Security Analytics Tools
• Compliance Reporting

I wanted to spend some time associating these buying criteria with Plixer’s approach to delivering security analytics, cyber threat forensics, and incident response.

Unified Data Management Platform

The large number of security tools deployed in most organizations generate lots of data.  The question to consider is what data to consolidate and where.  One opportunity to collect and consolidate security-related data (that was not mentioned above) can be found in gathering metadata from the network traffic itself as it traverses the infrastructure.  That metadata can be in the form of NetFlow, IPFIX, and vendor specific exports.  Scrutinizer’s forensic database can be a single source of truth for flow data, vendor-specific metadata, and even log consolidation (leveraging Replicator to translate syslog to flow exports).  For organizations looking for further data consolidation, Scrutinizer can act as a data broker, forwarding information upstream to third-party tools like Splunk, LogPoint, and Endace, as examples.

Support for Multiple Data Types

As mentioned above, Scrutinizer can consume and report on NetFlow, IPFIX, Syslogs and vendor-specific metadata (beyond NetFlow and IPFIX) exports from tools such as Cisco IWAN, Cisco WLAN Controller, Cisco ASA, FirePOWER services, Juniper switches & routers, Gigamon, Ixia, Palo Alto Networks, Endace, Splunk, Elasticsearch/Kibana, Forescout, and many others.

Scalable Data Ingestion

Scrutinizer was designed from the ground up to support large scale deployments. Distributed Collectors allow for a scale of over 6 million flows per second from over 100,000 exporting devices.

Security Analytics Tools

Scrutinizer has embedded security analytics algorithms including behavior analysis, which are run against the database to look for suspicious activity deviating from normal behavior (both device and traffic patterns).  In addition, for organizations that want to export data into a Hadoop environment, Scrutinizer supports industry-standard Kafka data streaming.

Compliance Reporting

Industries like healthcare (HIPAA), financials (SOX), retail (PCI), electric utilities (NERC), education (FERPA), and many others fall under regulatory compliance laws.  For the most part, these laws define rules under which organizations must operate to protect and ensure data integrity.  In an effort to strive toward regulatory compliance, many organizations implement a Control Objectives for Information Related Technologies (COBIT) framework.  Although there are many different regulations across many industries, the common factor is that auditors measure organizations against the regulations, often using COBIT as their measuring stick.  They look for policies that are defined, consistently enforced, and automated.  They also look for proof points demonstrating that these policies are enforced in all circumstances.  Compliance reporting is a great way for companies to deliver proof to auditors as well as offer companies the ongoing ability to make sure the policies they think are in place are actually being enforced in practice.  Scrutinizer offers fully customizable reporting great for the audit process as well as day to day monitoring.

Next Steps

The sophistication and complexity of today’s cybersecurity landscape is driving IT professionals to rethink their approach to security.  It is no longer a question of whether a security breach will happen; it is now a question of what data is available to forensically react to these inevitable breaches.  Point product and best-of-breed security architectures need to evolve and give way to a big data security analytics approach.  Plixer has many customers that use Scrutinizer as a primary source of consolidated forensic data.  There are also many whose network and security operations teams use Scrutinizer locally while also exporting information to external platforms like Splunk, LogPoint, Endace, and others.  Scrutinizer is built with the flexibility to serve the needs of IT professionals today and well into the future.  For more information, please visit www.plixer.com.