CSOs were swimming in data way before it got big across the enterprise. Firewalls, intrusion detection systems and other security programs spit out scads of data. But the Big Data era is giving CSOs better tools to use.
"Security is all about the metrics, too, and analytics will give you that. You're logging it and can quantify it," says Peter Miller, CSO at Orange County, Florida, where he's been since 2000.
Miller says analytics is not just important for cyber security. Orange County has 3,000 surveillance cameras, and "we knew we couldn't have 3000 people looking at those cameras."
Analytics, some written in-house (he has four analytics specialists in his physical and cyber security staffs), run on a Next Level Security Systems appliance. They help the county parse the data coming in from those cameras.
Orange County recently installed a $40 million radio system, and some of the radios are in very remote parts of the county. Analytics help it know if a deer has tripped the camera, someone climbing a fence, or someone trying to siphon power from the towers.
The county has also adopted TextGuard, to comply with Florida's sunshine laws, allowing it to capture track texts sent by public officials and employees. That tool also allows it to analyze whether they are texting passwords or other sensitive information.
"I can't imagine doing my job without analytics," Miller says.
Miller isn't alone.
"Big data is changing the CISO's job," says Jon Oltsik, a security analyst at Enterprise Strategy Group. Oltsik notes that "big data is a marketing term. It means you have more data you have to analyze than you know how to analyze, and that's true in big companies today for security." There's a lot more security data out there. A recent ESG report, The Emerging Intersection Between Big Data and Security Analytics, found that 86 percent of respondents said they were collecting more security data than they had in 2010. Some 44 percent said they had enough security data to be considered Big Data today, while another 44 percent said that would be true within two years.
That report was based on a survey of 257 security-oriented IT people at companies with 1,000 or more employees.
Ken Pfeil, CSO at a large mutual fund in Boston, says one of the impacts is, "you're still dealing with false positives, but now you're ignoring more, because you're getting a lot more, but they're not necessarily more useful."
In fact, 35 percent of CISOs say they are getting more false positives, according to the ESG survey.
Oltsik says traditional tools available to CSOs to analyze their data won't be effective for big data analytics. Now, new ones are becoming available, ranging from Hadoop-based analysis programs to proprietary tools to beefed up components in familiar security products.
These tools are making it possible to do trend analysis over months worth of data.
That kind of historical analysis is opening a new front in analytics for CSOs, says John Pescatore, director of emerging security trends at SANS Institute. Pescatore says CISOs have long used security information and event management (SIEM) tools to collect data. It's been good for creating reports, but weak for looking backwards in time and doing something predictive.
"You want to be able to say, 'conditions have just changed and we better take action or we are likely to be penetrated," Pescatore says.
Pfeil says there are more subtle concerns. He says it is also important to find tools that can find anomalies in traffic that looks benign. "I think most companies are compromised and they don't know it," Pfeil says. So traffic that goes to a legitimate company's compromised Web site could then be redirected to an illegitimate source, what Pfeil called a watering hole attack. Normal analytics tools can't find that, so he's started using Bromium, which lets him do attack visualization analysis.
It takes unique skills to do analytics well. Data scientists, business subject specialists and programmers may need to work together to create effective analytics. That means most analytics work gets done at what Oltsik calls the tip of the enterprise pyramid, "the biggest of the big companies." Even there, it can be hard to get budget for preventive applications, says Pfeil.
Pescatore says one tack for CISOs is to find security vendors with large, active online communities. That can give free, practical advice on how to work through the complicated process of analytics. Pescatore had positive things to say about companies and products like Tenable, Splunk. EiQ Networks and IBM's Q1 Labs' QRadar.
Third parties are popular when it comes to security analytics. In the ESG survey, 55 percent of companies said they rely heavily or somewhat heavily on third parties to help with their analytics.
Security vendors in general are trying to beef up their analytics. Trustwave, which does PCI compliance, in June launched SIEM Enterprise in response to the increasing kinds of data coming from mobile platforms and other new devices. Steve Kelley, Trustwave's vice president of marketing and product management, said Trustwave thinks it's become important for it to offer its own analytics, rather than expecting its customers to run analytics in general business intelligence tools.
Oltsik says analytics is complicated, but CISOs can take some small steps to get into it.
He recommends first looking at the data they already collect, what they're already doing analytics on, and then make a list of what they think they should be doing analytics on.
Then, to get a first step towards the new style of analytics, start working with an open source tool called PacketPig.
It can also be effective to work with business units to identify risks and share the costs of doing analytics, says Pfeil. Just don't expect that analytics will be simple, he warns.
"Everyone's looking for the one magic dashboard," says Pfeil. "You won't find it."