Big data analytics is a definite must have for enterprise corporations that want to protect their resources from today’s more complex attacks, according to the a security solutions manager at Cisco Systems Inc.
As attackers continue to up their game and employ more sophisticated methods, companies need to “make big data part of their technical security strategy,” Pablo Salaza, manager of Cisco’s (NASDAQ: CSCO) security posture assessment team, wrote in a recent blog.
He cited a recent report from the Breach Level Index, a centralized global database of data breaches, which indicates that from July to September this year, an average of 23 data records were lost or stolen every second. That’s close to two million records every day.
“Given this stark reality, we can no longer rely on traditional means of threat detection,” wrote Salazar. “Technically advanced attackers often leave behind clue-based evidence of their activities, but uncovering them usually involves filtering through mountains of logs and telemetry. The application of big data analytics to this problem has become a necessity.”
To address this situation, Cisco has made available an open source security analytics framework called OpenSOC.
The OpenSOC framework helps organizations fold in big data into the security strategy by providing a “platform for the application of anomaly detection and incident forensics to the data loss problem,” according to Salazar.
OpenSOC integrates elements of the Hadoop ecosystems such as Storm, Kafka and Elastisearch, he said. It serves as a scalable platform for adding capabilities like full-packet capture indexing, storage, data enrichment, stream processing, batch processing, real-time search and telemetry aggregation so that security analysts can detect and respond faster to advanced threats.
Salazar said that during a breach, security analysts need to take the following steps:
- Review reports from a security incident and event manager (SIEM) and run batch queries on other telemetry sources for additional context
- Research external threat intelligence sources to uncover proactive warnings to potential attacks
- Research a network forensics tool with full packet capture and historical records in order to determine context
Using traditional techniques, searching and analyzing data can take anywhere from a few minutes to several hours. The longer it takes the more potential there is for greater damage.
OpenSOC was designed as a single tool that will help analysts sift through the unstructured data in a focused manner without wasting precious time, according to Salazar.