Webinar Recording
Big Data - The Holy Grail for Information Security?
KuppingerCole Webinar recording
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our KuppingerCole webinar, big data, the holy trail for information security. My name is Martin Kuppinger I'm founder and principal Analyst at KuppingerCole. And I will do the presentation today. A topic of today's webinar is about a question of what can big data do for improving information security. And I think this is an interesting question because we see a lot of interesting evolutions and just recently, so early this week, I've published the could cold predictions and recommendations for 2014. And the topic I will talk about here is also one of the predictions we have in that report. The report, by the way, on our predictions is available for downloaded our website and it's free of charge. So I think it's worse to have a look at this before we start with the webinar, some general information about keeping a call and some housekeeping information.
So keeping a call is an Analyst company we're providing enterprise it research advisory services, decision support, and networking for it. Professionals. We do that by our research services, where we provide reports and things like our leadership compass documents, where we compare vendors on various market segments, cetera, we do it through our advisory services, where we support organizations and defining roadmaps strategies in doing maturity assessments, et cetera. And we do it through our events. We provided services on a global scale. So we have people in the us and Europe and in the Asia Pacific region regarding the events are mainly went, but it's not the only one that will be also went in Singapore and Moscow and long or mainly when is the European identity and cloud conference, which will be held next time, May 13th to 16th in Munich it's conference in Europe, on these topics around all leadership and best practice and cloud and RC and still conference, you should not miss.
So plan for attending ESC 2014. The master currently went in this area over here in Europe regarding the webinar. Some guidelines you are muted centrally, so you don't have to mute or on mute to yourself. We are controlling these features. We will record the webinar and the podcast recording will be available tomorrow latest. And the Q a session will be at the end. So you can end the questions anytime using the questions feature and go to webinar control panel. But usually I pick the questions by the end of the webinar for this webinar, we also offer a CPE point, CPE, continuing education credits, and this event quality for files for one group internet based CPE. You will need to take a and pass test in case you want to earn that point. Following the webinar. Now, once your, when your attendance has been confirmed, you will be sent on email, containing a link to the test.
So if you want to participate in the CPE stuff, then you have to pass the tests. I think it's only three questions. So that's a simple thing to do. Learning objectives for this are, understand the need for realtime securities, understand what differs between realtime security, analytics and Siemens and some other things. So you have it here. I will go through the agenda, the questions, more detail of them. I think something will become more clear. So retime security analytics, maybe as a term does the term we use for this big data used and information security for this new types of applications are key topic today. The agenda for today's webinar is quite simple. And the first time, first part I will do my presentation that big data really help in information security. And the second part will be the Q and a session where I can answer your questions.
So to start with the, this entire story, my use my, my standard slide, and some of you might have seen it before, which is computing, correct slides. So the new scope of information security, traditionally, we have been focused very much on premise environments, where we thought about our internal deployments, our internal users, and some desktop systems and maybe notebooks things have changed. And, and we have more types of devices, more types of users, other deployment models, which also means our information security scope is changing. Things are becoming increasingly complex because we not only have to look at our internal environment. We have more uses higher complexities socialing cetera. And in this context also clearly the, the types of attacks are changing. So we see other types of attacks happening right now. We have still the internal attackers, but the external spread is becoming more and more severe.
And we have to look at this as well. I think we have to balance both areas. So clearly the internal attacks will it remain, but there are additional external effects on the external attackers are increasingly professional cetera. And one of the challenges within this is for instance, that we see a growing number of zero day, day attacks. And in fact, many of them are in fact sort of include as minus they attacks. So which, which start well before they become public before they become known known. And so it's not about saying, okay, I do a little bit of patching. First of all, I can't patch everything ly think about mobile devices. Think about
All the external users, which access some of your applications with their devices. You don't have under control. The other thing is clearly that in this context, we see new types of challenges, more professional, less types of attacks, automated attacks, et cetera. And that's where we have to, to deal with this is where, where big data comes into play. And what we are talking about today mainly is sort of this evolution. So, so in the past we had our lock files, we looked at them or not, or many cases we didn't then seeing security information. And the event management appear in the market as a new category of products, which can collect events, which can collect logs, which can analyze them, which can react on them. And what we see is that a lot of organizations had a RA or rather unsuccessful history and seeing, because yes, there's a tool potentially you can analyze a lot of things, but in practice, you don't end up with what you really wanted to achieve.
So the future we see here is that we need that analytics. We need capability to understand what is happening in our network. Not only from a forensic perspective, not only from an expo analytics where we go through it afterwards, but in real time to understand, oh, there are uncommon behaviors. There seem to be attacks. There are things we consider critical. And that's where that is where this new group of products, what we, we call realtime security intelligence come into place. So these realtime security intelligence intelligence products in fact are, are a new group of products, which are based, which are based on big data technology, which are based on pattern, matching pattern analytics technology, which go well beyond what we have seen before and see. So those from the number of data, we can deal with the amount of data we can deal with and from the analytical capabilities and analytical patterns.
But not only for that, I will talk about this more in detail. There are other things which come in and this is really what, what we see as the, the evolution. This goes well beyond seeing, as we see a lot of the vendors from traditional steam entering this market, but it's clearly something which is more than cm has been on. This is where we see a potential for better addressing challenges of information security. It's still a long way to go. It's still a complex journey, but clearly there are some trends on the evolutions in which help customers moving forward. So the topics for today, and these are the questions you also have found in the webinar abstract at our website. So having huge amounts of security data all in one place, how can you make sure that you really gain more visibility? The second one is who's the person who are, or who are the persons who actually write queries and take into the big data, where do you find those skills?
So it's about, about this real time. It's about this human aspect and we have the situation, many big data tools in the market are freshly baked themselves and secure, unstable heart implement. So how do I find the tool that fits my needs and what are the implementation challenges and costs. So is there really a solution out there, or is it just something which is good step away on the horizon, how to ensure that you really find a needle in the haystack? So analytics is one thing, but ending up with good results is a different one. And how do you ensure that you do that end up with too many false negatives or false positives? So there some questions, I, I will talk about some, some things where I try to provide some answers from what we see in the market, in this very, very new and very merging field, which is not, I would say, not mature, not stable yet, but where we see a clear tendency towards a new curve of solutions, which have a better potential of serving customer needs.
So I started this picture. I, I used as a, and this year's ES keynote opening keynote, where, where I talked about some upcoming trends, I call it for big data to smart information. And the point I want to make here is that big data for itself. So just collecting data and processing it, not necessarily, and up in smart information, in the sense of we really end up what we need. It, it's more about understanding where we have, let's say the bigger, perhaps the bigger and smaller data we bring together and about enriching it with additional information. So it's really about a combination of, of things adding context and other things. And if you transform this transport just to, from big data to smart security, then it means if we just collect masses of locks on events that might not be sufficient. What we really need is understanding what are our locks?
What are our events? What are other information such as information brought into this as security intelligence services? So we have a drawing number of companies which provide realtime information or near time information, current information about new threats, newly identified types of addict, etcetera, the patterns of these attack. And, and so on. These are things we need to bring in to understand, okay, this is data. And if we look at it, doesn't match new pattern, et cetera. And on the other hand, we have the context information. So some things might be critical if you look at it from the perspective of this is an external user trying to do this, or this is a user in a, in an organizational unit, which shouldn't deal with that type of systems that shouldn't access these servers or whatever, but we need to understand the context. So who is it?
And this is process, are we operating etcetera and bringing together, this helps us to move closer to a number of relevants. So when on thinking about how to end up as well than action of results, one thing is we clearly need to understand that we not only can rely on our lock, the event data. It's more that we need. We need context information. So the identity business process, cetera identity is more than an IP address. Really identity is really understanding who is it, which role does it have cetera, all that stuff we have from identity access management world. Well, beyond what we frequently look at, we need to so many of the solutions just say, okay, this is an IP address, good IP address, bad IP address. That's not what we are asking for. We, we need to bring in the external security intelligence services to provide us with up to date information on what is really happening.
We need to understand new types of analytics. And this is a, this is a difficult and complex field. I'm, I'm, I'm almost on that. I have a long history in, in, in the pattern matching fast search and pattern matching technology. So I'm looking at this for a pretty long time right now, and this is not easy, but there are some interesting opportunities. And if done right, done, right thing is clearly the big challenge here. So we need to understand correlations, how can we match patterns? How can we identify patterns? Which technology allows us to identify, for instance, uncommon patterns, fast search etcetera. So clearly there's one focus will be known patterns for ATX. So which, which are common patterns for ATX. On the other hand, we also have to focus on uncommon behavior and uncommon patterns. So if a server, we are using a, starting to send information to an IP or to IP addresses we've never seen before.
And these IP addresses are in a location, which is, let's say less trust, trust versus, and trustable than others might be. And maybe it even changes every few days. And this is one of the attack parents we have seen in various of the, the, the, the, the recent attack. So when you look at what happened that some of the, the morever things than this was the over time, and some call advanced persistence threat attack type of sin or scenario, we ended up with a situation where data was sent out or trans transmitted to various servers, and they changed the servers from time to time. So these are things we, we, we, we need to understand bringing together various things. So, so beyond the lock, so it's, it's on one hand, it's the way, how do we analyze the data? Which information do we bring in enriching the information, and then understanding what is happening and what is uncommon, which what is untypical.
This is what in combination really helps us to get better in this clearly big data technology helps us to deal better with this, the large amounts of data we are facing here. I, I don't say, and this is a clear point. I don't say that we are today can go out and say, Hey, this is the tool. We need to understand a lot of things. And I will come back to this point later. I think we need a new type of service providers and services in the area because defining the right correlations, understanding the patterns, updating these things, updating it in the context of new types of scenarios, all these things are definitely rather complex. Okay, let's move forward. So the first thing is, I think there are options to gain more visibility, but what do we need from our people side? And at the end of the day, it's about people.
And I think we, in general, we can't speak about generalists and, and the specialists and security frequently is, is very much about high, highly specialized people that understand a particular area of this. And the challenge we are facing here is that this is not about a single area we have to focus on. So if you look at the more advanced type of threats, they might start with a social fishing. They might be around accessing and, and accessing certificates, public by private key stuff, etcetera, entering servers, sending back the sending back data, etcetera. So there might be a lot of different systems and might be involved, and this makes far more complex. So we need people here which understand the bigger picture of security and all, how all these things relate. And what also, let's say context, information about business processes. Cetera means understanding the correlation of who wants and the patterns of attacks beyond a single system.
This is what, what we need here. Nevertheless, and that's the big challenge clearly is that these people need to understand a lot about security. So they need to be sufficiently specialized, but they need to do it for a lot of systems. So it's sort of the generalist who understands the big picture, but sufficiently deep to understand how things correlate, what are event really means cetera. And we clearly also need the specialists specialists, which can analyze remaining incidents, understanding what these might indicate, and they might remain specialists as long as specific systems are concern, but clearly we also need other types of users for the complex scenarios of today. It's a challenge and it's a challenge we canceled easily. And, and when I read that, that how many people are sold on this area. So how many open troughs we, or tr postings we have and that's based on, this is a, a massive challenge.
And so it will be hard because it takes a long time until, until we, we move forward with, or until we have to derive people on hand it's, it's not that you can go out and say, okay, six weeks of a training or four weeks of a training, let's say such as for an whatever server administrator trial, it's not a few weeks of training. And then you have one, this, this field is more complex. And I think one of the challenges we are also facing is that even in, even in the universities, cetera, when, when you, when you, when you study this, this, in this field, security, seldomly seldomly, a key topic within computer science, and this is a real challenge we are facing. So I think it's also part of a long-term journey, but really we can help this, but we will need a again point, which I will come back to later, we will need managed services in this space. We will need an additional solution here. So, so we're looking at a tools.
What does it mean here? And I think that's, that's, it's worse to have a look at big data security in that area. So when I look at what happens in big data right now, and probably some will say, oh, no, that's not true, but I think it's, it's pretty true as always, most of the things which came up in this market segment or in a use market segment, haven't been built with security in mind. So, so there's big data. And, and if I look at a lot of things in big data, I don't see that much of security here. So on the other hand, what we also see is that most database security winners and there's a market for database security are expanding their support, big data solutions. So things are, are proceeding here, however, they are in new challenges. And, and if I look at all this things which occur from combining data from various sources, then we are clearly facing a, a massive challenge in that space.
And this is also about risk, about understanding risk cetera. And currently we see a situation where a lot of organizations are starting to do big data, and they don't think about risk. They don't think about security. So we see massive gaps here, which was a challenge we have to keep in mind, or we have to, to look at when, when looking for tools, clearly one of the, the things we have to challenge when this was, so the question is what about the right tools? And for some reasons, that's a little bit animated. Didn't think that I put in an animation here, but okay, let's go for that. So how to find the right tools and what, what we really need to do is to bring in, to bring together a lot of things. So we have the realtime security intelligence. We have cm tools in many organizations, which provide input to what we are doing here.
We have to security and intelligence services, which provide online information such as about new types of zero data attacks. This information has to end up in our GRC environment. So indicate, oh, there are new risks. We have passed the threshold. There is something new happening. We are raising an alert, cetera. We have to bring in more information. We have to support the security operation centers. And we have to look at the area of what we call S St C the software defined computing infrastructure, which is more than SDN. SDN is a pretty common term. These days, software defined networks, but SDN only covers the portion of it. So it's not only about networks, it's about the entire infrastructure. So the systems, the storage, cetera. So let's talk about St. C I here. And as I've said, we have information from various areas. So cm log logs and advance contact information, which flow into this, the online information from security intelligence services.
And then we need to support various things. And when we look at the, the market today and the vendor categories, so we see some vendors which are entering the market more from the side of the security intelligence services, we see the same vendors. However, I'm not sure that every sea vendor will be able to successfully make that shift to the more complex area of realtime security intelligence, but some of the big ones clearly are on their way. So there are winners, and we are currently talking with many of these vendors and their, about their strategies, etc. So where will they move? What about really making about making use not only of big data technology, but providing a new type of solutions, redefine analytics, redefined content, etcetera.
Clearly you should look at a few months already offering realtime security intelligence when such as RSA security, such as IBM, which are really a little bit ahead of many of the other vendors, clearly not the only ones, but some good examples. I think these two. So what are the features? I think it's good to have, to be able to integrate with existence if someone has, if not, they're not, but it's sort of a first filter of things. So you can rely on that. All sources of locks in the events, context information such said, anti business process, realtime information. Then it's about a strong analytics and delivering things to our RC, having a risk view on things, having our security operations center, where we have our, our 1, 2, 3 tiers of, of people working on the incidents that, that, that we have to handle manually. And I think one of the most interesting and most compelling use cases we have is the integration SD T C.
So imagine a world where newly identified challenges, newly identified threats automatically reconfigure your computing infrastructure to better protect you by reshaping your network flow flow, et cetera. I think this is a very interesting area. This is clearly not, not simple. This is complex because a lot of things come together, but there's an immense potential of becoming better information security in that area. It's not that you will go out in 2014 and go to when say, that's what I need because those, the realtime security intelligence and the S D C I area are new in emerging markets, but there's a massive potential. And there's a strong logic in, in doing this. So I'm convinced that we will see a strong evolution in that space.
Yeah. Then it's about a needle in the haystack problem. So just analyzing things and saying, okay, probably this isn't, that's not enough. We need to do it different. The real challenge really is the needle and the haystack. If you trust, rely on rules, that's too static, too complex. So we can end up with extremely big rules. That's, we're still don't find what we really need patterns. If you only rely on, on patterns, especially on Fu logic in that area, this might quickly become too Fu fused for themselves. If you used only that the only approach. So there's, there's a big potential in that. There are fantastic things you can do if you understand it. The problem is that a few people understand it. So it's hard to say, did they do the right thing or not? And so combining where is approaches on analytics probably is the best way.
But the main point from my perspective is it's about vendors providing services. So it's not about, it's not about having a situation where, where we get just get a tool by a tool and say, okay, this is it's about standard configurations, which are continuously updated to match common patterns to match the common scenarios and manage services for configuration and analysis support. So what I expect is from, from providers of security intelligence services, that they not only say, okay, this is a new theory attack, but they also provide an update for my analytics configuration within my realtime security intelligence tool. So this is what I really see here, and this is what we definitely need. And I, I think we not only need it because this is about speed. So we need to be fast. And so we need as a service, the configuration we don't need.
And just, I think a very important difference. It's not about sending all our data to a cloud service or a managed service provider and MSSP managed security service provider. It's about providing configuration into our, whatever we run environment, our data center, how this looks like, whether it's pure on premise or hybrid or whatever, this is a different question, but we will need this service. And this is also what will really help us to what really will help us to address the HR resource problem. So where to find the people by services. Some our topics are the last point is clearly we shouldn't end up with too many for, with false negatives and, and too many false positive. So this is where we look at. So we have this false negative, false, positive notion. So we, if we detect an attack and we haven't been attacked, and it's a false positive, if we have been attacked and we don't detect, we should, we have a false negative letter is more critical.
So we shouldn't have false negatives. We should. On the other hand, minimize the false positives. This is a, a difficult balance. We have to find it's a complex issue, and we need to move forward and automatically handling positives, which is again, if, if we are good in understanding patterns, if we are good in analytics, we can do more in that space. We, we need to end up with manual involvement. So sort of the management by exception, and again, this might be an area for services. So where we might do the first year internally and rely for the more complex things we can't handle can't handle on, on a service provider. So this is how we should think about this. Again, it's not a simple journey, but the new technology will help us to move forward. And clearly all this will be sort of a challenge for this magic triangle we are facing frequently, which is cost performance security.
So how to balance these different things. It's a, it's a big challenge. It's not easy to solve, but, and ideally the more security we want, then the lower potentially the secure performance, the higher the cost. And if we want to optimize security and performance, it goes fully into cost. If we want to reduce cost, then we have to pay the price on one of the other sites. So it's, it's a complex situation we need to understand. And on the other hand, it's always about sort of the risk reward ratio. So we need to understand what are our risks, which of them can I mitigate gate? Now, this is what should drive our thinking. So defining your strategy. I think the first thing is you should understand what is it, realtime security intelligence, what is behind? What is the, why do we need this sink beyond cm?
And think about standardized solutions, standardized configurations, think about solutions instead of tools, hunt for talent. You will need it anyway, regardless of what you do in information security, you will need talent. It's hard to find it evaluate the vendors. There will be a keeping, a call leadership compass on this new emerging market segment, probably mid 2014. We started with our analysis of the various vendors working on that. So we will look at this market segment, compare to vendors and provide our view on where they are. And we will update this document regularly or roughly every 18 months understand the big picture. So I understand that these things go beyond traditional network security beyond the traditional security team. So it's about just looking at the context. There are so far more things in the context, which we have to consider as such as business processes, identity, etcetera, cetera, which roles do the people have.
And so on and understand that it's not only about analytics, it's about control. So the, the, the sort of the bright future of this field really comes up when, when we are able to have automated actions based on things we identify, think about reconfiguring the way your infrastructure behaves in the case of a new attack. So the software defined computing infrastructure of the future, where you don't have to wait weeks until your firewall operator has changed the configuration. This is where we are heading. So this is my presentation on this emerging topic. I think that big data can help. It's not a simple journey. It's not a extremely rapid journey, but things are happening. We see a lot of evolution here. That's why, where I right now want to move over to the Q and a session. I have a long list of questions already here. So if you have additional questions, don't hesitate to enter them.
I will start right now answering the questions regarding the list of vendors. One of the, the attendants asked whether we can give a list of the vendors. We are currently evaluat reading. We are sort of in the brief lecture phase. So we, we currently sort of filtering out who really will be in this document. There will be various vendors. We can clearly at an let's a shorter period of time start supporting an advisory project around when selection. That would be the first step and the leadership combust will take a little another question. I think Finda interesting is how would you deal with big data analytics providers taking your data into, into the cloud? I think one of the challenges we have to look at is the mass of data. So can we handle it from the mass of data, transferring everything into the cloud? Good question.
I'm not a hundred percent sure. So the question is what of, this is really more on premise or, or a hybrid seeing and what really can be done to the cloud. On the other hand, there's an opportunity there because it's really about more managed services. And then we end up with the standard list of questions around what can we do with cloud service providers? So it's about location. It's about contracts, etcetera. We have a, a large advisory practice and a lot of content around cloud service, provider selection and cloud service provider assurance, looking at, for instance, the CSA and CCM controls rise to 20,007, one controls mapping it and making clear what are the areas you have to look at specifically when selecting a cloud provider where that your biggest risk. So what really to analyze this is also one of the things we provide in our advisory service.
Another question is generalists and specialists. Isn't this just a two tier it security support. I think it's more, I think that traditionally in, in, in the, clearly in the first year, it's maybe a little more specialized the second year. It's a little bit more generic or the other way around, however you define it a little, but I think it's, it's more, I think you need a new, new group of people who are very strong in security details, but overview the entire thing, because it's not only about looking at the remaining in this incidence, it's about doing the, doing it the other way around doing it in a way where you look at all. So where it's about configuration, how to handle this. And this is, I would say it's a, it's a, it's a little bit more than, than trust what you have today. Now it's more network security. It's far bigger field of various types of, of challenges, cetera. And then when you go that first and think about the IOT, the internet of things, or the I O E the internet of everything and everyone, then other things come in, if you think about SCADA security. So the cetera, this is, this is again, another very important area. So let's look at, at, at another question. Can you define real time? I think real time in this context means being fast enough to a avoid term.
This might be more than microseconds, but it's definitely less than hours or days. So it's really about being RA quick. And so I think over time it will become more and more really real term, but it's clearly more into micro instead of the days areas it's about quick reaction and being fast enough to avoid things. And today it means we know there's a data attack. And then some days later someone looks at the new certs, cetera, and then someone starts reconfiguring the firewall and some days are gone. Or if you look at a patching of hardware devices, some weeks, months, or years are gone. So it's, it's really about becoming more realtime. That's also where, where yes, stuff comes into play, because it allows you to be far quicker because you can reduce the, the relationship on, on hardware patches of network elements, etcetera, by neutralizing all this infrastructure and adding a security layer. So I think also a very important part of the story pattern matching. I mean, really the mathematical approaches of comparing different sort of use patterns mathematically and identifying what sort this is the same or not. So identifying really patterns of use. So this is what I, what I see here. So it's really the actual data flow, for example. And this is what I think really is about pedal matching.
So the final question I have here, so if you have first questions, don't hesitate to enter them now. But the final question I have on my list now is a question it's which around seam experiences. So what is not meant by seam? I see a lot of organizations which have a cm tool, but don't really end up with action results. So they have something which allow them to, to collect logs, but there's two little solution, two little standard configuration, and sometimes it's limited in the sort of the standard support for, for incoming information and so on. I think overall there's a, not that positive history of not a big number of really successful large scale scene deployments. Especially when we look at this complex field, we are looking at all the type of attacks, complex information, security stuff. With this new challenges, them seem, I would say is too slow to react and not good enough and deal dealing with this massive amount of data we are facing. So that's it from my side, if there are no first questions and it's up to me to wish you Merry Christmas and a happy new year, hope to see you again in some of the upcoming could bring cold webinars. Next year, there will be a lot and hope to see you at the European at conference 2014. Thank you for your time and try to upcoming break and have some nice and relaxing days by.
So keeping a call is an Analyst company we're providing enterprise it research advisory services, decision support, and networking for it. Professionals. We do that by our research services, where we provide reports and things like our leadership compass documents, where we compare vendors on various market segments, cetera, we do it through our advisory services, where we support organizations and defining roadmaps strategies in doing maturity assessments, et cetera. And we do it through our events. We provided services on a global scale. So we have people in the us and Europe and in the Asia Pacific region regarding the events are mainly went, but it's not the only one that will be also went in Singapore and Moscow and long or mainly when is the European identity and cloud conference, which will be held next time, May 13th to 16th in Munich it's conference in Europe, on these topics around all leadership and best practice and cloud and RC and still conference, you should not miss.
So plan for attending ESC 2014. The master currently went in this area over here in Europe regarding the webinar. Some guidelines you are muted centrally, so you don't have to mute or on mute to yourself. We are controlling these features. We will record the webinar and the podcast recording will be available tomorrow latest. And the Q a session will be at the end. So you can end the questions anytime using the questions feature and go to webinar control panel. But usually I pick the questions by the end of the webinar for this webinar, we also offer a CPE point, CPE, continuing education credits, and this event quality for files for one group internet based CPE. You will need to take a and pass test in case you want to earn that point. Following the webinar. Now, once your, when your attendance has been confirmed, you will be sent on email, containing a link to the test.
So if you want to participate in the CPE stuff, then you have to pass the tests. I think it's only three questions. So that's a simple thing to do. Learning objectives for this are, understand the need for realtime securities, understand what differs between realtime security, analytics and Siemens and some other things. So you have it here. I will go through the agenda, the questions, more detail of them. I think something will become more clear. So retime security analytics, maybe as a term does the term we use for this big data used and information security for this new types of applications are key topic today. The agenda for today's webinar is quite simple. And the first time, first part I will do my presentation that big data really help in information security. And the second part will be the Q and a session where I can answer your questions.
So to start with the, this entire story, my use my, my standard slide, and some of you might have seen it before, which is computing, correct slides. So the new scope of information security, traditionally, we have been focused very much on premise environments, where we thought about our internal deployments, our internal users, and some desktop systems and maybe notebooks things have changed. And, and we have more types of devices, more types of users, other deployment models, which also means our information security scope is changing. Things are becoming increasingly complex because we not only have to look at our internal environment. We have more uses higher complexities socialing cetera. And in this context also clearly the, the types of attacks are changing. So we see other types of attacks happening right now. We have still the internal attackers, but the external spread is becoming more and more severe.
And we have to look at this as well. I think we have to balance both areas. So clearly the internal attacks will it remain, but there are additional external effects on the external attackers are increasingly professional cetera. And one of the challenges within this is for instance, that we see a growing number of zero day, day attacks. And in fact, many of them are in fact sort of include as minus they attacks. So which, which start well before they become public before they become known known. And so it's not about saying, okay, I do a little bit of patching. First of all, I can't patch everything ly think about mobile devices. Think about
All the external users, which access some of your applications with their devices. You don't have under control. The other thing is clearly that in this context, we see new types of challenges, more professional, less types of attacks, automated attacks, et cetera. And that's where we have to, to deal with this is where, where big data comes into play. And what we are talking about today mainly is sort of this evolution. So, so in the past we had our lock files, we looked at them or not, or many cases we didn't then seeing security information. And the event management appear in the market as a new category of products, which can collect events, which can collect logs, which can analyze them, which can react on them. And what we see is that a lot of organizations had a RA or rather unsuccessful history and seeing, because yes, there's a tool potentially you can analyze a lot of things, but in practice, you don't end up with what you really wanted to achieve.
So the future we see here is that we need that analytics. We need capability to understand what is happening in our network. Not only from a forensic perspective, not only from an expo analytics where we go through it afterwards, but in real time to understand, oh, there are uncommon behaviors. There seem to be attacks. There are things we consider critical. And that's where that is where this new group of products, what we, we call realtime security intelligence come into place. So these realtime security intelligence intelligence products in fact are, are a new group of products, which are based, which are based on big data technology, which are based on pattern, matching pattern analytics technology, which go well beyond what we have seen before and see. So those from the number of data, we can deal with the amount of data we can deal with and from the analytical capabilities and analytical patterns.
But not only for that, I will talk about this more in detail. There are other things which come in and this is really what, what we see as the, the evolution. This goes well beyond seeing, as we see a lot of the vendors from traditional steam entering this market, but it's clearly something which is more than cm has been on. This is where we see a potential for better addressing challenges of information security. It's still a long way to go. It's still a complex journey, but clearly there are some trends on the evolutions in which help customers moving forward. So the topics for today, and these are the questions you also have found in the webinar abstract at our website. So having huge amounts of security data all in one place, how can you make sure that you really gain more visibility? The second one is who's the person who are, or who are the persons who actually write queries and take into the big data, where do you find those skills?
So it's about, about this real time. It's about this human aspect and we have the situation, many big data tools in the market are freshly baked themselves and secure, unstable heart implement. So how do I find the tool that fits my needs and what are the implementation challenges and costs. So is there really a solution out there, or is it just something which is good step away on the horizon, how to ensure that you really find a needle in the haystack? So analytics is one thing, but ending up with good results is a different one. And how do you ensure that you do that end up with too many false negatives or false positives? So there some questions, I, I will talk about some, some things where I try to provide some answers from what we see in the market, in this very, very new and very merging field, which is not, I would say, not mature, not stable yet, but where we see a clear tendency towards a new curve of solutions, which have a better potential of serving customer needs.
So I started this picture. I, I used as a, and this year's ES keynote opening keynote, where, where I talked about some upcoming trends, I call it for big data to smart information. And the point I want to make here is that big data for itself. So just collecting data and processing it, not necessarily, and up in smart information, in the sense of we really end up what we need. It, it's more about understanding where we have, let's say the bigger, perhaps the bigger and smaller data we bring together and about enriching it with additional information. So it's really about a combination of, of things adding context and other things. And if you transform this transport just to, from big data to smart security, then it means if we just collect masses of locks on events that might not be sufficient. What we really need is understanding what are our locks?
What are our events? What are other information such as information brought into this as security intelligence services? So we have a drawing number of companies which provide realtime information or near time information, current information about new threats, newly identified types of addict, etcetera, the patterns of these attack. And, and so on. These are things we need to bring in to understand, okay, this is data. And if we look at it, doesn't match new pattern, et cetera. And on the other hand, we have the context information. So some things might be critical if you look at it from the perspective of this is an external user trying to do this, or this is a user in a, in an organizational unit, which shouldn't deal with that type of systems that shouldn't access these servers or whatever, but we need to understand the context. So who is it?
And this is process, are we operating etcetera and bringing together, this helps us to move closer to a number of relevants. So when on thinking about how to end up as well than action of results, one thing is we clearly need to understand that we not only can rely on our lock, the event data. It's more that we need. We need context information. So the identity business process, cetera identity is more than an IP address. Really identity is really understanding who is it, which role does it have cetera, all that stuff we have from identity access management world. Well, beyond what we frequently look at, we need to so many of the solutions just say, okay, this is an IP address, good IP address, bad IP address. That's not what we are asking for. We, we need to bring in the external security intelligence services to provide us with up to date information on what is really happening.
We need to understand new types of analytics. And this is a, this is a difficult and complex field. I'm, I'm, I'm almost on that. I have a long history in, in, in the pattern matching fast search and pattern matching technology. So I'm looking at this for a pretty long time right now, and this is not easy, but there are some interesting opportunities. And if done right, done, right thing is clearly the big challenge here. So we need to understand correlations, how can we match patterns? How can we identify patterns? Which technology allows us to identify, for instance, uncommon patterns, fast search etcetera. So clearly there's one focus will be known patterns for ATX. So which, which are common patterns for ATX. On the other hand, we also have to focus on uncommon behavior and uncommon patterns. So if a server, we are using a, starting to send information to an IP or to IP addresses we've never seen before.
And these IP addresses are in a location, which is, let's say less trust, trust versus, and trustable than others might be. And maybe it even changes every few days. And this is one of the attack parents we have seen in various of the, the, the, the, the recent attack. So when you look at what happened that some of the, the morever things than this was the over time, and some call advanced persistence threat attack type of sin or scenario, we ended up with a situation where data was sent out or trans transmitted to various servers, and they changed the servers from time to time. So these are things we, we, we, we need to understand bringing together various things. So, so beyond the lock, so it's, it's on one hand, it's the way, how do we analyze the data? Which information do we bring in enriching the information, and then understanding what is happening and what is uncommon, which what is untypical.
This is what in combination really helps us to get better in this clearly big data technology helps us to deal better with this, the large amounts of data we are facing here. I, I don't say, and this is a clear point. I don't say that we are today can go out and say, Hey, this is the tool. We need to understand a lot of things. And I will come back to this point later. I think we need a new type of service providers and services in the area because defining the right correlations, understanding the patterns, updating these things, updating it in the context of new types of scenarios, all these things are definitely rather complex. Okay, let's move forward. So the first thing is, I think there are options to gain more visibility, but what do we need from our people side? And at the end of the day, it's about people.
And I think we, in general, we can't speak about generalists and, and the specialists and security frequently is, is very much about high, highly specialized people that understand a particular area of this. And the challenge we are facing here is that this is not about a single area we have to focus on. So if you look at the more advanced type of threats, they might start with a social fishing. They might be around accessing and, and accessing certificates, public by private key stuff, etcetera, entering servers, sending back the sending back data, etcetera. So there might be a lot of different systems and might be involved, and this makes far more complex. So we need people here which understand the bigger picture of security and all, how all these things relate. And what also, let's say context, information about business processes. Cetera means understanding the correlation of who wants and the patterns of attacks beyond a single system.
This is what, what we need here. Nevertheless, and that's the big challenge clearly is that these people need to understand a lot about security. So they need to be sufficiently specialized, but they need to do it for a lot of systems. So it's sort of the generalist who understands the big picture, but sufficiently deep to understand how things correlate, what are event really means cetera. And we clearly also need the specialists specialists, which can analyze remaining incidents, understanding what these might indicate, and they might remain specialists as long as specific systems are concern, but clearly we also need other types of users for the complex scenarios of today. It's a challenge and it's a challenge we canceled easily. And, and when I read that, that how many people are sold on this area. So how many open troughs we, or tr postings we have and that's based on, this is a, a massive challenge.
And so it will be hard because it takes a long time until, until we, we move forward with, or until we have to derive people on hand it's, it's not that you can go out and say, okay, six weeks of a training or four weeks of a training, let's say such as for an whatever server administrator trial, it's not a few weeks of training. And then you have one, this, this field is more complex. And I think one of the challenges we are also facing is that even in, even in the universities, cetera, when, when you, when you, when you study this, this, in this field, security, seldomly seldomly, a key topic within computer science, and this is a real challenge we are facing. So I think it's also part of a long-term journey, but really we can help this, but we will need a again point, which I will come back to later, we will need managed services in this space. We will need an additional solution here. So, so we're looking at a tools.
What does it mean here? And I think that's, that's, it's worse to have a look at big data security in that area. So when I look at what happens in big data right now, and probably some will say, oh, no, that's not true, but I think it's, it's pretty true as always, most of the things which came up in this market segment or in a use market segment, haven't been built with security in mind. So, so there's big data. And, and if I look at a lot of things in big data, I don't see that much of security here. So on the other hand, what we also see is that most database security winners and there's a market for database security are expanding their support, big data solutions. So things are, are proceeding here, however, they are in new challenges. And, and if I look at all this things which occur from combining data from various sources, then we are clearly facing a, a massive challenge in that space.
And this is also about risk, about understanding risk cetera. And currently we see a situation where a lot of organizations are starting to do big data, and they don't think about risk. They don't think about security. So we see massive gaps here, which was a challenge we have to keep in mind, or we have to, to look at when, when looking for tools, clearly one of the, the things we have to challenge when this was, so the question is what about the right tools? And for some reasons, that's a little bit animated. Didn't think that I put in an animation here, but okay, let's go for that. So how to find the right tools and what, what we really need to do is to bring in, to bring together a lot of things. So we have the realtime security intelligence. We have cm tools in many organizations, which provide input to what we are doing here.
We have to security and intelligence services, which provide online information such as about new types of zero data attacks. This information has to end up in our GRC environment. So indicate, oh, there are new risks. We have passed the threshold. There is something new happening. We are raising an alert, cetera. We have to bring in more information. We have to support the security operation centers. And we have to look at the area of what we call S St C the software defined computing infrastructure, which is more than SDN. SDN is a pretty common term. These days, software defined networks, but SDN only covers the portion of it. So it's not only about networks, it's about the entire infrastructure. So the systems, the storage, cetera. So let's talk about St. C I here. And as I've said, we have information from various areas. So cm log logs and advance contact information, which flow into this, the online information from security intelligence services.
And then we need to support various things. And when we look at the, the market today and the vendor categories, so we see some vendors which are entering the market more from the side of the security intelligence services, we see the same vendors. However, I'm not sure that every sea vendor will be able to successfully make that shift to the more complex area of realtime security intelligence, but some of the big ones clearly are on their way. So there are winners, and we are currently talking with many of these vendors and their, about their strategies, etc. So where will they move? What about really making about making use not only of big data technology, but providing a new type of solutions, redefine analytics, redefined content, etcetera.
Clearly you should look at a few months already offering realtime security intelligence when such as RSA security, such as IBM, which are really a little bit ahead of many of the other vendors, clearly not the only ones, but some good examples. I think these two. So what are the features? I think it's good to have, to be able to integrate with existence if someone has, if not, they're not, but it's sort of a first filter of things. So you can rely on that. All sources of locks in the events, context information such said, anti business process, realtime information. Then it's about a strong analytics and delivering things to our RC, having a risk view on things, having our security operations center, where we have our, our 1, 2, 3 tiers of, of people working on the incidents that, that, that we have to handle manually. And I think one of the most interesting and most compelling use cases we have is the integration SD T C.
So imagine a world where newly identified challenges, newly identified threats automatically reconfigure your computing infrastructure to better protect you by reshaping your network flow flow, et cetera. I think this is a very interesting area. This is clearly not, not simple. This is complex because a lot of things come together, but there's an immense potential of becoming better information security in that area. It's not that you will go out in 2014 and go to when say, that's what I need because those, the realtime security intelligence and the S D C I area are new in emerging markets, but there's a massive potential. And there's a strong logic in, in doing this. So I'm convinced that we will see a strong evolution in that space.
Yeah. Then it's about a needle in the haystack problem. So just analyzing things and saying, okay, probably this isn't, that's not enough. We need to do it different. The real challenge really is the needle and the haystack. If you trust, rely on rules, that's too static, too complex. So we can end up with extremely big rules. That's, we're still don't find what we really need patterns. If you only rely on, on patterns, especially on Fu logic in that area, this might quickly become too Fu fused for themselves. If you used only that the only approach. So there's, there's a big potential in that. There are fantastic things you can do if you understand it. The problem is that a few people understand it. So it's hard to say, did they do the right thing or not? And so combining where is approaches on analytics probably is the best way.
But the main point from my perspective is it's about vendors providing services. So it's not about, it's not about having a situation where, where we get just get a tool by a tool and say, okay, this is it's about standard configurations, which are continuously updated to match common patterns to match the common scenarios and manage services for configuration and analysis support. So what I expect is from, from providers of security intelligence services, that they not only say, okay, this is a new theory attack, but they also provide an update for my analytics configuration within my realtime security intelligence tool. So this is what I really see here, and this is what we definitely need. And I, I think we not only need it because this is about speed. So we need to be fast. And so we need as a service, the configuration we don't need.
And just, I think a very important difference. It's not about sending all our data to a cloud service or a managed service provider and MSSP managed security service provider. It's about providing configuration into our, whatever we run environment, our data center, how this looks like, whether it's pure on premise or hybrid or whatever, this is a different question, but we will need this service. And this is also what will really help us to what really will help us to address the HR resource problem. So where to find the people by services. Some our topics are the last point is clearly we shouldn't end up with too many for, with false negatives and, and too many false positive. So this is where we look at. So we have this false negative, false, positive notion. So we, if we detect an attack and we haven't been attacked, and it's a false positive, if we have been attacked and we don't detect, we should, we have a false negative letter is more critical.
So we shouldn't have false negatives. We should. On the other hand, minimize the false positives. This is a, a difficult balance. We have to find it's a complex issue, and we need to move forward and automatically handling positives, which is again, if, if we are good in understanding patterns, if we are good in analytics, we can do more in that space. We, we need to end up with manual involvement. So sort of the management by exception, and again, this might be an area for services. So where we might do the first year internally and rely for the more complex things we can't handle can't handle on, on a service provider. So this is how we should think about this. Again, it's not a simple journey, but the new technology will help us to move forward. And clearly all this will be sort of a challenge for this magic triangle we are facing frequently, which is cost performance security.
So how to balance these different things. It's a, it's a big challenge. It's not easy to solve, but, and ideally the more security we want, then the lower potentially the secure performance, the higher the cost. And if we want to optimize security and performance, it goes fully into cost. If we want to reduce cost, then we have to pay the price on one of the other sites. So it's, it's a complex situation we need to understand. And on the other hand, it's always about sort of the risk reward ratio. So we need to understand what are our risks, which of them can I mitigate gate? Now, this is what should drive our thinking. So defining your strategy. I think the first thing is you should understand what is it, realtime security intelligence, what is behind? What is the, why do we need this sink beyond cm?
And think about standardized solutions, standardized configurations, think about solutions instead of tools, hunt for talent. You will need it anyway, regardless of what you do in information security, you will need talent. It's hard to find it evaluate the vendors. There will be a keeping, a call leadership compass on this new emerging market segment, probably mid 2014. We started with our analysis of the various vendors working on that. So we will look at this market segment, compare to vendors and provide our view on where they are. And we will update this document regularly or roughly every 18 months understand the big picture. So I understand that these things go beyond traditional network security beyond the traditional security team. So it's about just looking at the context. There are so far more things in the context, which we have to consider as such as business processes, identity, etcetera, cetera, which roles do the people have.
And so on and understand that it's not only about analytics, it's about control. So the, the, the sort of the bright future of this field really comes up when, when we are able to have automated actions based on things we identify, think about reconfiguring the way your infrastructure behaves in the case of a new attack. So the software defined computing infrastructure of the future, where you don't have to wait weeks until your firewall operator has changed the configuration. This is where we are heading. So this is my presentation on this emerging topic. I think that big data can help. It's not a simple journey. It's not a extremely rapid journey, but things are happening. We see a lot of evolution here. That's why, where I right now want to move over to the Q and a session. I have a long list of questions already here. So if you have additional questions, don't hesitate to enter them.
I will start right now answering the questions regarding the list of vendors. One of the, the attendants asked whether we can give a list of the vendors. We are currently evaluat reading. We are sort of in the brief lecture phase. So we, we currently sort of filtering out who really will be in this document. There will be various vendors. We can clearly at an let's a shorter period of time start supporting an advisory project around when selection. That would be the first step and the leadership combust will take a little another question. I think Finda interesting is how would you deal with big data analytics providers taking your data into, into the cloud? I think one of the challenges we have to look at is the mass of data. So can we handle it from the mass of data, transferring everything into the cloud? Good question.
I'm not a hundred percent sure. So the question is what of, this is really more on premise or, or a hybrid seeing and what really can be done to the cloud. On the other hand, there's an opportunity there because it's really about more managed services. And then we end up with the standard list of questions around what can we do with cloud service providers? So it's about location. It's about contracts, etcetera. We have a, a large advisory practice and a lot of content around cloud service, provider selection and cloud service provider assurance, looking at, for instance, the CSA and CCM controls rise to 20,007, one controls mapping it and making clear what are the areas you have to look at specifically when selecting a cloud provider where that your biggest risk. So what really to analyze this is also one of the things we provide in our advisory service.
Another question is generalists and specialists. Isn't this just a two tier it security support. I think it's more, I think that traditionally in, in, in the, clearly in the first year, it's maybe a little more specialized the second year. It's a little bit more generic or the other way around, however you define it a little, but I think it's, it's more, I think you need a new, new group of people who are very strong in security details, but overview the entire thing, because it's not only about looking at the remaining in this incidence, it's about doing the, doing it the other way around doing it in a way where you look at all. So where it's about configuration, how to handle this. And this is, I would say it's a, it's a, it's a little bit more than, than trust what you have today. Now it's more network security. It's far bigger field of various types of, of challenges, cetera. And then when you go that first and think about the IOT, the internet of things, or the I O E the internet of everything and everyone, then other things come in, if you think about SCADA security. So the cetera, this is, this is again, another very important area. So let's look at, at, at another question. Can you define real time? I think real time in this context means being fast enough to a avoid term.
This might be more than microseconds, but it's definitely less than hours or days. So it's really about being RA quick. And so I think over time it will become more and more really real term, but it's clearly more into micro instead of the days areas it's about quick reaction and being fast enough to avoid things. And today it means we know there's a data attack. And then some days later someone looks at the new certs, cetera, and then someone starts reconfiguring the firewall and some days are gone. Or if you look at a patching of hardware devices, some weeks, months, or years are gone. So it's, it's really about becoming more realtime. That's also where, where yes, stuff comes into play, because it allows you to be far quicker because you can reduce the, the relationship on, on hardware patches of network elements, etcetera, by neutralizing all this infrastructure and adding a security layer. So I think also a very important part of the story pattern matching. I mean, really the mathematical approaches of comparing different sort of use patterns mathematically and identifying what sort this is the same or not. So identifying really patterns of use. So this is what I, what I see here. So it's really the actual data flow, for example. And this is what I think really is about pedal matching.
So the final question I have here, so if you have first questions, don't hesitate to enter them now. But the final question I have on my list now is a question it's which around seam experiences. So what is not meant by seam? I see a lot of organizations which have a cm tool, but don't really end up with action results. So they have something which allow them to, to collect logs, but there's two little solution, two little standard configuration, and sometimes it's limited in the sort of the standard support for, for incoming information and so on. I think overall there's a, not that positive history of not a big number of really successful large scale scene deployments. Especially when we look at this complex field, we are looking at all the type of attacks, complex information, security stuff. With this new challenges, them seem, I would say is too slow to react and not good enough and deal dealing with this massive amount of data we are facing. So that's it from my side, if there are no first questions and it's up to me to wish you Merry Christmas and a happy new year, hope to see you again in some of the upcoming could bring cold webinars. Next year, there will be a lot and hope to see you at the European at conference 2014. Thank you for your time and try to upcoming break and have some nice and relaxing days by.
Stay Connected
Related Videos
How can we help you