Security Analytics - A Marriage between Big Data Analytics and Cybersecurity
“Big Data” refers to the high volume, velocity, and varieties of information assets
that demand cost-effective, innovative and reliable forms of information processing
for enhanced insight and decision-making. Computing frameworks such as Hadoop allows
us to generate value out of Big Data.
“Cybersecurity” is the body of techniques, processes and methodologies to protect networks, computers, programs, and data from malicious attacks and damages, or unauthorized access.
Why do we need big data for cybersecurity?
- Businesses/organizations are facing unprecedented security risks introduced by phenomena such as consumerization of IT. Network boundaries are dissolving fast and more vulnerabilities emerge.
- Cyber attacks evolve fast and they become more and more skilled, sophisticated, and persistent, which makes it more difficult to detect and deter them.
- Traditional signature-based approaches are no longer sufficient and effective.
The rapid development in the big data paradigm allows us to capture, store, and analyze huge amount of data generated in the cyber world. Big data can fuel intelligence driven security by doing the following:
- Assess risks
- Detect illicit activities and advanced cyber threats
- Allow advanced predictive capabilities
- Serve cyber incident response & investigation services
- Deliver compliance
What types of “big data” we use for security informatics?
|Data||Possible Data Source||Possible Intelligence to Derive|
|Network and host traffic data||SIEM, network monitoring, and application monitoring||Are there traffic anomalies to/from these servers?|
|Web transaction data||Authentication data, transaction monitoring, application logs, SQL server logs, network session data||Has suspicious activity been observed in sensitive/high value applications and assets?|
|Infrastructure data||IT assets, configuration management, vulnerability management||
|Identity/credential data||Authentication data, server logs, asset management, SIEM, network monitoring||
How to design and adopt a security analytics solution?
- Develop security analytics business strategy
- Participate in analytics trainings and workshops
- Implement a centralized data management infrastructure
- Implement an analytics platform
- Hire data scientist as consultants
- Implement a “Network Monitoring” layer
- Implement a “Suspicion Alert” layer
- Streamline analytics with current workflow
Dr. Wei Wei
Associate Director of Research & Education
Cyber Security Institute
College of Science and Engineering
University of Houston - Clear Lake