Chuck's Blog

It doesn't seem that long ago that most of the security discussion was focused on things like authentication, firewalls, information leakage and the like.  The goal appeared to create a moat around enterprise, with only one way in and one way out.

But we've collectively realized that any barrier can only be partially effective at best. 

Dubbed "advanced threats", the new bad guys are typically well-organized and well-funded.  They choose their targets, and bring an inordinate amount of patience and persistence to setting up shop behind the firewall, with the goal of ex-filtrating all sorts of valuable data.

Although I'm not deep into the security world, my observed shift in IT security priorities has been sharp and substantial. 

Assume you've been penetrated, now what?

IT Security In 30 Seconds

I'm notorious for over-simplifying complex and nuanced topics, so let me attempt to prune current IT security thinking down to the core basics.

First, you still want to invest in keeping the bad guys -- and the bad stuff -- out.  Sometimes called "perimeter defense", these are all the familiar firewalls, anti-virus, malware, authentication, etc. tools.

But in a world where the attackers go under the wall, around the wall, or simply walk through the door masquerading as a trusted employee, traditional perimeter defenses can no longer be assumed effective. It's becoming more useful to assume that you've already been breached -- or potentially will be soon.

Second, you want to absolutely minimize the "free time" you give the bad guys to do their work.  Often, it takes substantial time for them to look around, upgrade their privileges and cover their tracks. 

This is where the new RSA Security Analytics product fits in.

Finally, you want to drive an expedited remediation workflow when something suspicious is detected.  Elsewhere in the RSA portfolio, the Archer platform targets that upper-level business process management.

Prevention, detection, remediation -- it's the new face of IT security.

The Big Data Perspective

The good news?  Just about everything in a modern IT environment generates a log or trail of some sort: networks, gateways, authentication, applications, and so on.

More good news?  There's a growing wealth of external information on what the bad guys are doing, as they frequently use the same tools and techniques repeatedly.

The hard part?  Collecting and analyzing all those wildly diverse data sources to quickly spot the potential threat is a classic big data analytics problem. 
 
Superior performance is a must -- speed matters here.  The threats and the detection techniques are continually evolving: you need a set of extensible platform capabilities that supports new data sources, a wide range of modeling tools, and so on.  Yes, you want immediate value out-of-the-box, but you also need the flexibility to adapt and evolve your capabilities – more of a “platform” than a “product”.

And that's precisely what RSA Security Analytics does.  While any product has to be evaluated on its own merits, it does have the benefit of some great DNA: RSA's previous EnVision and NetWitness products, as well as experience with large-scale Hadoop-based platforms.

Security As Intelligence?

Again, I'm not deeply immersed into the world of IT security, but it's seemed to me that so much of it can be checklist-oriented. 

Firewall?  Check!  Anti-malware?  Check!  Current patches applied?  Check! 

Buy these products, do these things and you're good -- or, at least, no one can blame you if something bad happens.

In the geopolitical world, advanced security always involves notions of intelligence -- invest the resources to detect and predict what your attacker will do, hopefully before they do it. 

Even smaller countries have an intelligence group for this very reason.  In many ways, the same patterns are quickly coming to the IT security world.

Anti-malware?  Not interesting.  Intelligence-driven, big-data-enabled malware detection and remediation?  Interesting.

Firewalls?  Not interesting.  Intelligence-driven, big-data-powered, context relevant next generation firewalls?  Interesting.

SIEM and log management?  Not interesting.  Intelligence-driven, big-data security analytics?  Interesting!

It looks like IT security is going to get really smart, really quickly here -- which creates an entirely new challenge for security professionals.

The Skills and Roles Perspective

On one hand, if you take a product like RSA Security Analytics, it's deceptively easy set up and use.  Fire it up, connect it to a bunch of data feeds, let it run for a while, and see what it tells you.  A lot of work has gone into data presentation, rules database and workflows, and it's all useful right out of the box.

See something, err, anomalous?  Three clicks and you can get right up close to what's going on. 

But with great power comes great responsibility.  It's not long before you realize that these new tools create a new way of doing IT security.

IT security professionals now spend much more time focusing on things that are important (e.g. process improvement), and less time doing the rote work, e.g. poring through log files etc. 

In the face of powerful new tools, new skills and new roles are becoming required.  Borrowing an example from the software development world -- sure, it's deceptively easy to code in, say, Ruby or Python.  But it's another thing entirely to get really good at it, especially in large, complex environments.

Against a backdrop of a generally tight IT skills market, top-shelf security expertise is notoriously difficult to find for most enterprise IT organizations. 

Now matters can appear even more challenging -- there's now an incredibly important sub-discipline around security analytics: basically taking big data techniques into the security world -- data science, if you will.  And there's not a lot of those data science folks around, either.

For security professionals who recognize this shift, our RSA team is working hard to create a thorough set of coursework and certifications in this emerging area, but there's nothing to publicly announce yet.  I would expect it sooner than later, based on past experience.

My view is simple: this skill-set shift might be a quiet opportunity for some IT shops.  Give most any security professional an opportunity to upgrade their skills and toosl proficiency -- especially around security analytics -- and that can be an attractive career opportunity for a lot of people. 

We saw the same thing happen when cloud hit the market -- there was a clear shortage of skilled cloud architects and cloud process engineers.  The IT organizations that positioned the role as a learning opportunity found it much easier to find qualified applicants.  Perhaps we’ll see the same sort of thing here.

Needless to say, fully exploiting security analytics will eventually require a non-trivial amount of process re-engineering: not only in the protocols around early detection, but expedited workflows for fast response.
 
Time is money when it comes to advanced threats.

Does Big Data Change Everything?

As of late, there seems to be some increased commentary around the predictable disillusionment around the power of big data, with plenty of criticism doled out at the vendor community for over-hyping the concepts. 

I'm not surprised.

Like anything else, big data analytics is a powerful tool to be wielded.  It's not a convenient pill to be swallowed with magical results. 

For those that recognize this -- and are prepared to invest substantial effort in new ways of doing things -- they're seeing amazing results.  And when they see that "first light", it inevitably kicks off an increased investment pattern.

History can repeat itself: there now exists a substantial collection of compelling anecdotal stories.  Progressive security teams have brought in the new RSA tools just to see what they can do and – frequently -- they make a startling discovery and we're usually off to the races.

Yes, big data can change anything and everything. 
 
Including how we think about modern information security.