The general concept is that you want to monitor your environment, gathering key security information that can either identify typical attack patterns as they are happening (yes, a SIEM-like capability), or more likely searching for indicators identified via intelligence activities. We have been saying Monitor Everything almost as long as we have been talking about Reacting Faster, because if you fail to collect data you won\u2019t have an opportunity to get it later. Unfortunately most organizations don\u2019t realize their security data collection leaves huge gaps until the high-priced forensics folks let you know they can\u2019t truly isolate the attack, or the perpetrator, or the malware, or much of anything, because you just don\u2019t have the data. The good news is that you have likely been collecting security data for quite some time, and your existing investment and infrastructure should be directly useful for dealing with advanced attackers.<\/p>\n","protected":false},"excerpt":{"rendered":"
Forensics folks have been doing this for years during investigations, but proactive continuous full packet capture \u2013 for the inevitable incident responses which haven\u2019t even started yet \u2013 is still an early market. That\u2019s a start, but you will likely require some kind of Big Data thing, which should be clear after we discuss what we need this detection platform to do.<\/p>\n
We spent a time early in this process on sizing up the adversary for some insight into what is likely to be attacked, and perhaps even how. But once you do the work to model the likely attacks on your key information, and then enumerate those attack patterns in your tool, you can get tremendous value.<\/p>\n
<\/p>\n
We have already listed a number of different threat intelligence feeds, which can be used to search for specific malware files, command and control traffic, DNS request patterns, and a variety of other indicators.<\/p>\n
<\/p>\n
So you can search your security data infrastructure for almost anything you are collecting \u2013 or even better, for a series of events and\/or files within your environment \u2013 quickly and accurately to narrow down your searches to the most likely attacks.<\/p>\n
<\/p>\n
We have every confidence that big data holds promise for security intelligence, both because we have witnessed attacker behavior captured in event data just waiting to be pulled out, and because we have also seen miraculous ideas sprout from people just playing around with database queries.<\/p>\n
<\/p>\n
You are clearly constrained in terms of internal capabilities (you will be looking for a lot of data scientists over the next few years), as well as the lack of maturity of technologies such as Hadoop, MapReduce, Pig, Hive, and a variety of others in the security context.<\/p>\n
<\/p>\n
But companies seriously looking to detect advanced attackers within their environments will be capturing packets to supplement the other data they already collect, and subsequently starting to use Big Data technologies to mine it all.<\/p>\n
<\/p>\n