There was a time when an enterprise network was a self-contained system, allowing traffic in and out of the network via routers and gateways that could closely monitor data traffic, and making it easier to manage data security. With the ongoing migration to a more open infrastructure, where external data sources are closely linked to enterprise processes to promote better performance and interoperability, security measures must evolve as well to meet the demands of new enterprise application interoperability.
Under the old rules of enterprise networking, security is largely reactive. Data traffic is monitored, and when an anomaly or security threat is identified, it is flagged and isolated . With increased interoperability—including new data sources such as mobile applications, the Internet of Things (IoT) and big data sets—addressing security threats becomes more challenging.
As the volume of enterprise data increases, and the types of data become more varied, filtering data traffic just doesn’t work. Searching for isolated security threats becomes like looking for a needle in a haystack. Instead, network architects are adopting new strategies to improve systems monitoring, model systems behavior to identify threats, encrypt and protect data in transit, and identify threats in real time.
SIEM: Security Information and Event Management
Rather than relying on individual data points to monitor for security threats, IT administrators are getting an end-to-end view of enterprise data traffic and systems interoperability using security information and event management (SIEM) software.
SIEM is designed to extend network security by giving you the big picture of network security in a single view. Rather than trying to track multiple data points looking for threats, SIEM software relates infrastructure-related events and reports them as they are detected to provide a comprehensive picture of enterprise security. Information about log-ins, antivirus threats, blocked connections, port connection attempts, etc. are all accumulated and reported so you have an actively updated portrait of network security.
The SIEM software has a picture of baseline performance loaded into the system so any anomalous activity or data traffic that falls outside the norm can be flagged for analysis. By comparing different abnormalities, such as unusual log-ins or denied access, it’s possible to see patterns that identify a security breach or attack.
For example, transaction-level interactions can be fraudulent and are a greater threat to business. SIEM systems can collect information above the infrastructure level and intercept suspicious transactions using preset business rules (e.g. when a transaction authorization and request come from the same party).
Big Data Security Analytics
Big data analytics take SIEM one step further. Big data security analytics usually monitor for SIEM and performance and availability monitoring. However, because it is big data, the volume of data being analyzed is substantially greater, and analysis is performed in near real time. Big data security systems have five characteristics:
- Scalability –Data must be collected and processed in near real time, which means the system has to scale with the amount of network traffic. Data processing has to scale as well, because big data security is responsible for both packet analysis and correlating events across the network (e.g., an event at a server may be linked to an event at an endpoint or network device).
- Visualization – Going beyond simple dashboards, big data analytics must include visualization and reporting tools that present big data findings in real time and in a manner that lets security analysts quickly understand and act on the findings.
- Persistent big data storage – Because security is provided by big data, it requires big data storage and analysis capabilities—including big data storage systems such as Hadoop Distributed File System—and batch processing with tools such as MapReduce.
- Information context – One of the advantages of big data analytics is that it presents data in the context of users, devices and events. Context refines detection of unusual behavior and security events and minimizes false positives.
- Breadth of functions – This is essential to interoperability security. By design, big data solutions can filter different types of data for analysis, such as enterprise data, mobile data and the IoT. They also can gather data from multiple sources such as network traffic, data from physical devices and virtual servers, and software data. Rich information can extend detection to encompass more potential types of security threats.
And because big data analytics are being performed in near real time, the systems can be automated to automatically address security and interoperability issues. As with SIEM, big data can use an established baseline of network performance and then apply preprogrammed responses to unusual activities, automatically remediating the problem in real time and recording events for analysis later.
To promote interoperability and better enterprise security, solution providers need to show customers how to apply new tools and techniques that prevent security breaches, not just detect them. New security strategies, new software, big data analytics, remote monitoring and other tools and techniques can improve security for enterprise customers and present opportunities for solution providers at the same time.