Business intelligence is also security intelligence: RSA

If system logs weren't originally created for security, why isn't business data also being used? And can we automate defensive decisions where we can create self-defending networks?
Written by Michael Lee, Contributor on

Businesses are sitting on a wealth of analytical data that is being wasted, when it could be used to provide advance warnings of online attacks, according to RSA vice president and chief information security officer Eddie Schwartz.

Speaking to ZDNet, Schwartz said that while logs, monitoring, firewalls, and other perimeter defences may appear to provide a business with a wealth of information, most are being used after they have failed, and attackers have attained access to their networks.

"Today, most organisations are not analysing business data. They're taking security logs from Windows servers and from firewalls and network devices, [but] what does that tell me about whether a transaction on an SAP system is valid or not [or] whether an electronic commerce transaction is valid or not?" Schwartz questioned.

Schwartz argued that logs from servers and network devices tend to be for purely technical reasons, and that eventually, around 20 years ago, many administrators realised that they had a form of security relevance. However, he questioned why businesses restrict what they consider to be relevant security information simply to these logs and the various security information and event management systems in use today.

"We're looking at a very, very narrow set of information from security logs, and that's not business data," he said.

He called for a wider use of data that isn't necessarily security focused. In fact, he said that the type of information doesn't even have to necessarily be identifiable.

"Let's start integrating full-packet information, which contains the full content and context of different types of activities, whether it's web traffic [or] email. We don't necessarily have to know what it is, but it just exists out there, and it's part of the network traffic that we have."

The point of collecting the information is to build up a profile of what is considered "normal" for the business, allowing it to immediately identify any changes that might stand out during an attack, or pending attack.

"Statistically, or numerically, or mathematically, that profile is a unique fingerprint unique to the organisation, unique to a set of business processes, unique to even a group of users.

"When we have those deviations, it'll call attention to itself and say, 'Listen! This is different than normal behaviour,' and those differences, when we combine them with things that we know, like indicators of compromise, like other types of potentially known bad behaviour, or other things we know about our enterprise, it can yield fantastic results."

Getting to the stage of using more business data needn't be a massive project, either, Schwartz said. The more likely scenario would be for business systems to gradually transition their data into a big data-style information system, and he believes that businesses would do well to invest in a strategy to do it in stages. This would mean helping the business understand why a transition would be needed, and carefully considering what information might best be captured first.

Schwartz said that he doesn't think anyone could judge what the perfect model is. He imagined that many businesses may choose to use more managed security services if they walk down this path, or some combination of doing it in-house and with other service providers.

"Other organisations are very much into a hybrid model where they allow the service providers to do certain work, but then there's other work that they feel is their responsibility because either the sensitivity level or because they feel that only they could understand their business well enough to, let's say, follow up on a Tier 3 incident."

While big data could be used to alert system administrators of potential breaches, or breaches in progress, the next logical step would be to automate such systems to help create self-defending networks. However, Schwartz thinks this dream is far over the horizon.

"For a technology to be able to [take] some course of action that would stop bad things from happening ... will require an intimacy with that fingerprint, with that unique identity of the business, that is very tough to achieve and is very complex to achieve," he said. He highlighted that this would most likely need to be done by self-learning computers once threats accelerate to a certain point.

"I'm not saying that it's impossible to do. I'm saying that we're a ways away from it because [of] the amount of data that we need to get there and the processing power to achieve that type of activity in real time, especially with networks moving closer to light speed."

Even if the day does come where a business could use all of its information at full potential to automatically stop attackers, Schwartz said he hopes that the information security professional would still be there.

"There are certainly critical services and critical things that have technology associated with them, where I would want to hope that there's a human involved in it to either pull the plug or put the plug back in the wall."

Editorial standards