In the enterprise security world, data security has traditionally been viewed as an underdog.
However, given the increasing number and sophistication of data breaches, explosion of sensitive data being exchanged across complex IT environments, data security is more important than ever when it comes to protecting an enterprises crown jewel.
You have a ton of data, a ton of sensors and a ton of security applications. Now how do you keep track of it all, and spot correlated threats asks ESET Southern Africa.
As data have exploded in size, complexity and importance, so have the accompanying company budgets required to keep it all secure – in a desperate attempt not to make headlines by being the next hack victim. And the type of data to be analysed now spans the endpoint, network, and servers, all the way to perimeter defense.
It used to be enough to protect endpoints and have a firewall. With today’s threats, there is a need to rapidly triage and escalate serious events to avoid the headline that says you’ve been hacked for six months and didn’t know it – an all-too-common occurrence.
But these pools of data are very different in nature and in structure. Network defenders, for example, try to monitor and detect threats as they attempt to pass by on the wire (or wireless), and attempt to find the proverbial needle in a haystack, which in and of itself is difficult and data-intensive. In a busy environment, a network packet capture might be terabytes in size every couple of hours. So, triaging and dumping excess data, all in real time, is daunting.
The second pool of data is fed by the endpoints distributed across the network, which again have different structure and nature, and represents an entirely different (but related) threat vector.
Then, of course, it is useful to know what the availability of network and host resources is to determine if a threat has compromised a segment of the enterprise. This availability sensing takes on a different structure and nature than the other data pools, because the system health of the enterprise itself can cause false triggers that suggest or imitate a breach of some sort.
The answer seems to be to aggregate everything, from logs to network data to whatever other indicators you can find. But after you aggregate everything, there is a Herculean task to turn giant piles of data into intelligence.
Big data has part of the answer – deploying clusters of machines that can scale and ingest the data. But searching unstructured data and turning them into usable information is another layer to the equation, aided by devices that can normalize and de-clutter extraneous piles of pseudo-nonsense and present it as more useful, pruned intel.
The dnext layer is the reporting layer, whereby the pruned data are presented in a human-digestible format that IT staff can do something with. All this at the rapidly escalating pace that represents steep data growth in your organisation.
In the end, the success of enterprise threat management will be determined by the speed, scalability, interoperability, and visibility that can be brought to bear on modern threats.