You are on page 1of 3

ISC8, 21CT, Click Security, Hexis Cyber Solutions, IBM, Lancope, Leidos, LogRhyt hm, Netskope, RSA Security,

and Solera Networks machine learning (i.e. 21CT, LogRhythm, SilverTail, etc.) and behavior anomaly d etection (i.e. Click Security, Lancope, Netskope, Solera Networks, etc.). 39% of organizations say they are challenged by, a lack of adequate staffing in security operations/incident response teams. Real-time big data security analy tics tools must be able to make existing staff more efficient and productive to overcome this limitation. 35% of organizations say they are challenged by, too many false positive aler ts. Real-time big data security analytics tools must use streaming processing, ad vanced intelligence, algorithms, and visual analytics to filter out the noise an d pinpoint problems with strong accuracy. 29% of organizations say they are challenged because incident detection invol ves too many manual processes. This one is tough because security analysts pride themselves on their ability to spot an anomaly and pivot from data point to data point to find real problems. While this behavior is certainly admirable, it jus t doesn t scale. Real-time big data security analytics tools should support analys t s standard operating procedure but also help them automate investigations and fo rensic collection. This could be the catalyst to finally change security analysi s from art to science. 29% of organizations say they are challenged because incident detection depen ds upon too many independent tools that aren t integrated together. So real-time bi g data security analytics must supersede this army of point tools (with advanced functionality and integration). To paraphrase Harry Truman, the (incident detec tion) buck stops here. Big data security analytics solutions also distinguish themselves based upon thr ee basic characteristics: Scale. Big data security analytics solutions must have the ability to collect, p rocess, and store terabytes to petabytes of data for an assortment of security a nalytics activities. Analytical flexibility. Big data security analytics solutions must provide users with the ability to interact, query, and visualize this volume of data in an as sortment of ways. Performance. Big data security analytics must be built with an appropriate compu te architecture to process data analytic algorithms and complex queries and then deliver results in an acceptable timeframe. In the early stages of this market, big data security analytics solutions are be ing developed and introduced along a continuum. There are two poles and thus two types of big data security analytics solutions that make up this scale: 1. Real-time big data security analytics solutions 2. Asymmetric big data security analytics solutions Real-time big data security analytics solutions are actually an evolution of pre sent day SIEM and log management solutions built for modern scale and performanc e requirements. These solutions are built around a distributed architecture; mad e up of appliances designed for local streaming processing and collective parall el processing. Real-time big data security analytics solutions tend to collect a nd analyze old standby data like logs, network flows, and IP packets across the enterprise with a view of the data from L2 through L7. Many of these solutions a re based on some type of proprietary data repository as well. Examples of real-t ime big data security analytics solutions include Click Security, Lancope, and S

olera Networks. Asymmetric big data security analytics is a relatively new category of solutions designed for the non-linear needs of security analysts who typically pivot from query to query as they investigate individual security events and/or anomalous behavior across systems, networks, user activity, etc. Asymmetric big data secur ity analytics solutions can be built on proprietary data repositories, but it is likely that all products will support big data technologies like Cassandra, Had oop, and NoSQL over time. Security analysts will feed these solutions with batch updates containing terabytes of structured and unstructured data in order to lo ok at historical security trends over long periods of time. Asymmetric big data security solutions will be anchored by machine learning algorithms, cluster anal ysis, and advanced visualization. Early solutions in this area come from vendors like LexisNexis, PacketLoop, and RedLambda.

Obviously, malware is circumventing existing security controls and not triggerin g any alarms on traditional SIEM tools. So what can organizations do to improve their malware detection and response capabilities? Many are turning to network f orensic tools. Wikipedia defines network forensics as follows: Network forensics is a sub-branch of digital forensics relating to the monitorin g and analysis of computer network traffic for the purposes of information gathe ring, legal evidence, or intrusion detection. Of course network forensics is nothing new. Security analysts have been using to ols like Ethereal, Wireshark, and various other network sniffers for years. So w hat s different? First, users are now using network forensics in a more proactive manner to help them detect suspicious activities as soon as possible. Second, se curity and networking vendors are offering canned products designed for more ped estrian users. Finally, commercial network forensic tools support security analy sts with custom algorithms for incident detection. Network forensic tools tend to collect a lot of data. Some provide full packet c apture (i.e. copy all packets that cross the network), giving the quaint but ant iquated nickname, network VCR. Others eschew full packet capture in favor of some unique formula for Meta data capture and analytics. Are these tools necessary? Maybe not for mid-market organizations but large ente rprises with global networks will certainly want to kick the network forensic ti res. Look at a few recent security events and see if network forensics could hav e helped speed up the detection and remediation process. Think about how you cou ld add network forensics information into security and legal investigations as w ell. Network forensics are likely a good fit. There is also reason to believe that this is a market that is about to explode. In fact, ESG research indicates that 49% of organizations plan to collect and an alyze more security data over the next 24 months. Much of this data will be netw ork-based and likely come from network forensic tools. As far as products go: 1. Endace (i.e. Emulex), RSA Security Analytics (aka NetWitness), and Solera Net works (i.e. Blue Coat Networks) are all large stable companies. They may be the best choice for risk-averse CISOs. 2. Click Security is designed from the ground up for network analytics. The goal is to remove the guess work and actually pinpoint problems in real-time. Creati ve CISOs looking for a new angle on an old problem will find Click intriguing at

the very least. 3. LogRhythm just entered the network forensic market with a stand-alone product that is tightly integrated with its existing SIEM. This makes LogRhythm an attr active option for CISOs looking for an integrated security analysis solution (i. e. SIEM and network forensics). 4. Although not technically a network forensics tool, Lancope provides similar fun ctionality and has a long track record in the market.