Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Sept 2016 Digital Edition
Aug 2016 Digital Edition
July 2016 Digital Edition
‘Big Data’ offers big progress in network security
Narus and Teradata
As they survey the frustrating current cyber security scene, experts recognize that the problem is not that we know too little about the threats that are attacking our computer networks.
“The problem is we have too much security data,” explains Microsoft’s Scott Charney, “and we don’t know what to make of it.”
Charney, a corporate vice president for trustworthy computing, delivered a keynote address at the RSA cyber security conference on Feb. 28, in which he described the current dilemma -- petabytes of seemingly useless data that cry out to be analyzed -- and suggested one promising solution: Big Data.
In essence, Charney and many other cyber gurus have begun to focus on what they call Big Data as an important new weapon that the good guys can try to perfect and deploy in the never-ending battle with cyber attackers who would steal money, intellectual property, sensitive information and anything else of value that resides on a vulnerable computer network.
What is Big Data? How is it being used? And how will Big Data evolve in the near future? Government Security News gathered some interesting insights at the recent RSA show, and has put together some preliminary answers.
Big Data is a term that has come to describe a humongous mountain of information (typically captured on a computer network from mind-numbing log files, flow data, IP traffic and other voluminous sources) that might contain worthwhile clues to the origins and behavior of a cyber attacker, if only that data could be analyzed effectively in real-time. Until recently, cyber security professionals have found it nearly impossible to cope with the vast amounts of data captured daily on their networks, exceedingly difficult to identify miniscule “clues” hiding amidst all that data that might warrant further analysis, and overwhelmingly burdensome to store all that incoming data, while waiting for one of those suspicious clues to come to the attention of an alert analyst.
The vast amount of data that has been burying network administrators in recent years is only growing worse, Charney warned. He specifically cited two new sources of information, “geo-location data,” derived from the widespread use of GPS and mapping software on mobile hand-held devices, and “user-created content,” the diaries, scribblings, videos and postings that are washing around the globe on ever-more-popular social media Websites. As this ocean of network-related data rises, the need to find a way to make some sense of it grows accordingly.
That’s where two companies – Narus and Teradata – have entered the scene. They announced at RSA a promising new partnership in which Narus would handle the analysis of vast quantities of network-related data and Teradata would handle the storage and crunching of that data. Here’s how a press release issued on Feb. 27 by both companies described the capabilities of their new partnership:
- The most scalable, real-time traffic intelligence system that captures, analyzes and correlates IP traffic in real time, and offers wide visibility across heterogeneous networks and deep insight into multiple layers of network traffic.
- Patented analytics to detect patterns and anomalies that can predict and identify security issues, misuse of network resources, suspicious or criminal activity, and other events that can compromise the integrity of the network.
- The ability to respond quickly to known and previously unknown cyber threats with effective, informed action based on business and operational policies.
To gain a better understanding of what that actually means, GSN spoke with Jay Thomas, vice president of global services at Narus, and Monica Smith, a marketing executive with Teradata. They described a hypothetical situation in which an important, but nearly-invisible, piece of network data could serve as a clue to a much larger, ongoing cyber threat. Such a clue almost begged to be discovered through the use of more-potent analytic and storage capabilities.
Suppose an evil botnet commander, who had already “captured” millions of vulnerable computers around the world, had recently penetrated your desktop computer and had lodged one of its discrete, secret “agents” inside your network. One day, this agent might release a virus into your network or instruct your computer to launch a denial of service (DOS) attack against another network. In the meantime, this botnet agent typically would lay low and attempt to avoid being noticed by your network administrator. Even so, in order to remain in contact with its remote commander, the agent would need to transmit a message periodically -- perhaps once per month -- back to its commander’s IP address at a nefarious computer sitting in Russia, China, Eastern Europe, another country or (heaven forbid) in the United States.
That once-per-month transmission of an IP address -- buried amidst millions of nondescript log entries -- generally wouldn’t tip off a network administrator that something suspicious was taking place on your network. But suppose a sharp-eyed analyst on your staff noticed that unusual occurrence and sought additional evidence. That’s where Narus might come in.
The NarusInsight traffic intelligence system, and the human analysts who use it, theoretically could spot that anomaly and request a real-time analysis of weeks, or months, or years of similar information from your network that was sitting in a massive data warehouse operated by Teradata.