SAN FRANCISCO - Applying big data approaches to information security can help enterprises build better situational awareness capabilities, but implementation could prove to be a major challenge, security experts said at the RSA Conference 2013 being held here this week.
Companies such as RSA and Symantec are using the conference to spell out their strategies of using new data aggregation, correlation and analytics approaches to help enterprise sift through huge sets of structured and unstructured data for threat indicators. The idea is that such data aggregation and correlation will help companies spot trends and threats that conventional signature-based security tools are unable to detect.
Unlike conventional security approaches that are focused largely on blocking attacks, the new approaches emphasize breach detection and response almost as much as breach prevention. The goal is to help companies block the threats they can while helping them detect and respond to the one they miss.
In an inaugural keynote address, RSA chief Art Coviello said that the need for big data approaches was being driven by the increasing number of targeted and persistent attacks against U.S. businesses and government organizations. The sheer volume and variety of data being collected and mined by enterprises these days also is driving the need for new approaches to protect that data from adversaries, he said.
Instead of deploying point products and perimeter defenses, companies need to adopt a security model that is based on actual threats and threat intelligence, Coviello said.
U.S. organizations are caught up in an increasingly asymmetric war against cyber enemies that are better armed, better prepared and better organized than they are, said Francis deSouza, president of products and services at Symantec.
"Attackers have to be right just once, we have to be right every time," deSouza said in a keynote address at the conference. So rather than focusing purely on blocking all threats, companies should be using big data analytics approaches to detect intrusions and mitigate them, he said.
In theory at least, the idea of bolstering security by looking at and analyzing vast data sets is a good one, said several IT managers and security experts at the RSA show.
But getting there could take some doing, said Christopher Pierson, chief security and compliance officer at LSQ Holdings, a financial services company. "I think that the problem of having insight into log files and all your appliances has been pervasive," Pierson said.
Currently available security incident and event management (SIEM) tools already allow companies to aggregate huge amounts of log data from multiple security devices and bring it all to one system, he said. But the real problem with SIEMS is the ability to analyze the data and correlate that data so that precursor hacking evidence or actual intrusions can be detected," and acted upon.
Sign up for CIO Asia eNewsletters.