Big goals for Big Data
Many organizations are still in the dark when it comes to using big data to improve security. But for Zions Bancorporation, it's old hat.
By Bill Brenner , Managing Editor
January 28, 2013 — CSO —
A year ago—perhaps a bit more—big data was just starting to take its place among the industry's most-used buzz terms. Today everyone talks about it as a potentially powerful piece of enterprise security. But there are still plenty of practitioners struggling to get the concept, much as they struggled to figure out cloud security a few years ago.
But Preston Wood, Zions Bancorporation's CISO and executive VP of security, finds it puzzling that so many find big data such a struggle.
[Also read The security risks and rewards of big data<]
He's been using big data, by one name or another, to bolster his security program for decades. In recent years, Wood and his team have embarked on major overhauls to their program to better process data that moves more freely and quickly in and out of the network. By adopting such tools as Hadoop, they've greatly increased the amount of data they can analyze at one time. And they've figured out how to do it in something close to real time, cutting it down from the full-day task of the past.
This is the story of how Zions pulled it off.
What's Old Is NewThough the term "big data" is new, Zions has been applying the concept since the 1990s, when it began using its immense supply of information (its security tools and devices alone produce about 3 terabytes of data per week) to make sense of its security posture. "We had a big data strategy before it was called big data," Wood says.
The company certainly has plenty of data to draw from. It has eight banking operations and 500 physical locations throughout the western United States. It was an early adopter of security information and event management (SIEM) technology, using it to better analyze its data flow.
When it comes to big data, experts tend to focus on how it can be used to boost revenue; to a lesser extent, they may note and assess the security risks of big warehouses of (potentially) valuable business intelligence and analytics. But Zions did something different: It decided to make the big data approach a central piece of its security, rather than looking at the information as just another potential hole in its defenses.
The company's massive data stores are used to make better sense of the activity on its network. If someone on the inside or outside is poking around, trying to break into the company's systems, the clues are there, waiting to be sifted from the larger data supply.
Enter SIEMTo better analyze the data and put it to work in the security department, Wood and company became early adopters of SIEM technology. Among other things, SIEM allowed the security department to:
- aggregate data from multiple sources, including network, security, servers, databases and applications. That provided the ability to consolidate monitored data and avoid missing critical events.
- break events into smaller buckets that can be studied for similarities, which may point to attack activity.
- produce alerts the moment abnormal activity appears.
But by 2008, Zions hit a wall with SIEM. The data supply had become too big and complex to handle. It was now taking months and even years to piece together an actionable picture. The sheer force of data accumulation and the frequency of analysis of events had simply overwhelmed SIEM.
"It's not that SIEM was obsolete and needed to be replaced with something else," Wood says. "It's that we needed something to augment SIEM. It was great for telling the data what to do, but it couldn't tell us what to do."