English: A candidate icon for Portal:Computer security (Photo credit: Wikipedia)
Advanced Behavioral Analysis and Correlation can deliver risk-based, prioritized, actionable insight to handle Advanced Persistent Threats
Using big data analytics for network security requires monitoring and analyzing massive amounts of data to discover hard-to-detect, suspicious network activity to deter increasingly complex Advanced Persistent Threats (APTs). These APTs are carried out patiently over time by professional cyber-thieves who maneuver around traditional defenses, such as firewalls, intrusion prevention and anti-virus software, to steal valuable or sensitive data.
However, using big data – the mountain of info on the order of petabytes typically captured from computer network log files, flow data, and IP traffic – is only a means to an end. The goal is to turn that mass of information into risk-based, prioritized, actionable insight that can be used to improve network security now and into the future. This includes meeting the challenges of new and evolving intrusion techniques.
Unfortunately, most network security options currently on the market do not have the ability to turn big data into meaningful data. The deterrents run the gamut from the inability to process the mass of raw data required, to determining what is a risk and what is not (including the limitations of signature-based detection systems), to the need for advanced behavioral analysis and correlation to detect, handle, and learn from suspicious activity over time, to prioritizing and presenting the information in a meaningful manner for IT security personnel at the organization.
“Most companies breached by APTs actually had the telltale security data available, but didn’t see the problem until it was too late,” says Scott Paly, co-founder and CEO of Global DataGuard, a Dallas, Tex.-based provider of Unified Enterprise Security (UES) solutions for small, midsize, and enterprise organizations. “The ‘big data’ problem actually is an old problem with a new name. There has always been a problem with finding the needle of ‘bad’ data in a haystack of ‘good’ data quickly enough. The challenge is that the ‘haystack’ keeps getting bigger, with millions of legitimate logs, server replies, and network transactions per day in many large organizations.”
Many network security systems today are not equal to the challenge for another reason: they cannot trigger a response or security alert if they do not know what they are looking for.
“While anti-virus and intrusion detection vendors rely on global networks to monitor threats and provide downloadable updates based on virus and malware definitions or ‘signatures’, there are always variants,” explains Paly. “Depending on the vendor, there are about 30,000 to 60,000 signatures available, but the typical intrusion sensor only has about 1,000 signatures loaded. And once a signature is written, if the virus or malware changes or new ones are created, the security software may not recognize them. There’s a need for protection beyond the known.”
Though the threat to networks from viruses and malware is significant, the danger from long-term “under-the-radar” type threats such as APTs can be greater.
“Big data analytics will be needed to detect successful advanced targeted attacks,” stated Gartner analyst Neil MacDonald, in a recent report titled, Information Security is Becoming a Big Data Analytics Problem. “ATAs are designed to bypass traditional prevention and blocking controls, such as anti-malware scanning systems and intrusion prevention systems (IPSs), and once established, will attempt to acquire credentialed access, making them extremely difficult to detect.”
“Successfully detecting a successful ATA with minimal false positives will require the linking and analyzing of large amounts of data to detect meaningful anomalous behavior,” stated MacDonald. “Increasingly sophisticated models of both ‘good’ and ‘bad’ are needed. Simply stated, better results from models require more relevant data, including additional context-related data.”
A recent development in enterprise security called advanced behavioral analysis and correlation has the ability to deliver the risk-based, prioritized, actionable insight needed to detect and handle APTs as well as other threats to the network when used with signature-based protection. But advanced behavior analysis and correlation is NOT the same as simple behavioral analysis, which has disappointed many in the network security industry.
“Simple behavioral analysis such as mere packet counting, or tallying failed log-in attempts does not solve the big data dilemma because it’s easy to detect and the bad guys develop their approach so it doesn’t trigger those detection mechanisms. The ‘bad’ data buried in a mountain of ‘good’ data is not easily detected and requires a different approach,” explains Paly. “Since network traffic is not consistent, there’s a need for a longer term context of what’s legitimate, to better determine what’s not legitimate.
“Advanced behavioral analysis is not dependent on knowing a particular signature ahead of time because it’s impossible to know everything that can go wrong and write a rule or signature for it beforehand,” adds Paly. “Instead, it analyzes huge amounts of data over long periods to predict and handle escalating threats before they become a problem.”
For instance, Global DataGuard’s advanced behavioral analysis, provided as the Behavioral Correlation Module (BCM) within its UES suite, is continuously performed over periods as long as six months or more. It learns a multitude of behaviors within networks or information systems and generates alerts when abnormal or suspicious traffic occurs. It intelligently forms correlations between disparate sources to find emergent behavior indicative of an APT or other suspicious changes to network traffic. Over time, behaviors are predictive, and it attempts to predict outcomes, becoming proactive instead of just reactive.
“Our base analysis uses raw network traffic data, which offers much more information than a log or signature-based alert,” says Paly. “Then we input log alerts, intrusion detection alerts, vulnerability scan results, policy violations, and correlate these with the raw network data analysis.”
According to Paly, the company’s patent-pending high speed packet object database system has processed up to 900 billion Mb of data a day on a large network in a continuous process that uses previous analysis to analyze the current data. The resultant alerts are prioritized by hostility, using over 1200 algorithms to analyze and filter the data. On a typical large network, the UES system can distill 60 billion packets on the network down to 600 actionable alerts.
“To reduce the false positives that could otherwise overwhelm IT resources, it’s important to analyze the data continuously on a changing profile of normal traffic, to compare what you see now with what you’ve seen and analyzed historically,” explains Paly.
One key to making advanced behavioral analysis and correlation maximally effective is to use it with an architecture-based security system that is built from the start to share data and analysis, and is not just a collection of separate products. The UES system, for instance, collects environmental context-aware raw packet data from inbound, outbound and intra-network packet traffic. Through a unified data format, it imports and analyzes scans, log alerts, IDS alerts, and policy violations to create more context for the alerts. Signature alerts are automatically correlated with scans on the console, and signatures loaded on the IDS are automatically correlated with vulnerabilities.
“In the sheer volume of big data, it’s easier to connect the dots, to see APT patterns emerging, when advanced behavioral analysis and correlation is used with an architecture-based security system,” says Paly.
While advanced behavioral analysis and correlation can help IT staff identify the illegitimate network traffic in petabytes of legitimate traffic, to preventively reduce vulnerabilities and improve the network’s security posture, it is also helpful to consider a security dashboard that can distill threats in a holistic, and often visual, manner.
“A security dashboard is designed to lower a network’s overall threat profile by constantly displaying the top potential threats,” says Paly. “It can typically correlate network traffic, logs, global attacks, vulnerabilities and assets, all prioritized by hostility to the network.”
For more info, call 972-980-1444; visit www.globaldataguard.com; follow on Twitter at Twitter@GlobalDataGuard; or write to Global DataGuard at 3939 Beltline Road, Suite 400, Addison, TX 75001.
Nov 08 2012