This content is part of the Essential Guide: How to define SIEM strategy, management and success in the enterprise

Big data 2.0: CISOs push need to identify attack campaigns

CISOs at RSA Conference 2013 say identifying attack campaigns means taking security big data to the next level. The hard part? Finding data analysts.

SAN FRANCISCO -- Are big data-centric security systems already becoming passé? According to a panel of security practitioners at the 2013 RSA Conference, organizations that aren't using security big data collection systems to identify attack campaigns may already be falling behind.

Tuesday during a wide-ranging discussion focused on using big data to enable better security visibility, the panelists described the need to analyze a staggering number of network security events.

Left to right: Richard Stiennon, Harvest, Praveen Money, Datashield Consulting, Ramin Safai, Jeffries & Co, Alex Tosheff, X.commerce, Carter Lee,

Ramin Safai, CISO of New York-based investment banking firm Jefferies & Co., said his company experiences 5,000 network events per second, capturing about 25 TBs of data on them per day; his three-person network analysis team typically highlights about 50 issues, about two of which prove legitimate.

While on the high end of the spectrum, Alex Tosheff, CISO of eBay Inc.'s X.commerce unit, said his organization internally sees 10,000 events per second and records nearly 1 PB of event data each day, and that doesn't include the external "production" environments he supports, namely, and others.

So to find the security events that matter, organizations build systems to pull in as much relevant data as possible -- data from networks, endpoints, databases, applications and identity and access management systems -- but that's the easy part. Identifying those select few events that indicate a potential intrusion takes hard work.

"The important thing is your analytics engine needs to work in conjunction with all your best-of-breed technology," said Carter Lee, vice president of technology for He said open systems generally work better than products from larger vendors that require long-term lock-in and often aren't frequently updated to adapt to new threats.

Tosheff said his organization has been at it for five years, and what's worked for them is a combination of over-the-counter and self-built tools utilizing custom rule sets that, above all else, look for data exfiltration events.

"We've tried to evolve with it," Tosheff said. "It's an arms race, and it's difficult to keep up, but it's something that you can't stop doing."

Big data 2.0: Using data to identify attack campaigns

However, the panelists said simply identifying suspicious events is no longer enough.

Moderator Richard Stiennon of Birmingham, Mich.-based consulting firm IT-Harvest, said he first recognized this last year in his work with large defense contractors. He noticed a trend where they were identifying and correlating key attack indicators and classifying them into campaigns -- coordinated, multi-pronged attacks orchestrated by known threat actors.

Tosheff said his organization's electronic crime detection group is tasked with similar responsibilities, and combines its own internal intelligence with external sources to identify various malicious actors, including fraud rings, hacktivists or data thieves. Important findings are then documented in a common taxonomy and shared quickly across industry groups via mechanisms such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).

"It's extremely important to track campaigns. If you're not doing it, start," said Praveen Money, CISO of Datashield Consulting in Phoenix. "It's this collection of attributes that will help you detect and defend against the next attack."

Money said by correlating incidents and identifying common attributes, an enterprise can reveal who its attackers may be and what they're likely after, shortening the time between detection and response in the future.

"Key indicators by themselves don't mean a lot, but when you put them together you can go beyond what would otherwise be benign instances," Money said. "By putting it all together into a campaign, your response organization will move forward by leaps and bounds."

Splunk favored over SIEM systems

Interestingly enough, nearly all the panelists said they use the venerable packet-capture and analysis tool Splunk as their primary data analysis tool over more expensive commercial security information and event management (SIEM) products.

Safai said even though his organization feeds a variety of logs into a SIEM, that data gets pushed into Splunk because no other tool can handle the volume and complexity of all its data.

While Safai has had discussions with SIEM vendors, none of them provide the same capability to quickly zoom into a dataset and see events based on a particular time or device, pinpoint an event, and then zoom out again and use that event as a starting point to look for trends or similar events.

"It's that functionality plus being fast" that matters, Safai said. "Our SIEM doesn't have it; it's very slow. It takes 24 hours to do that with a SIEM and two minutes with Splunk."

Tosheff said of Splunk: "It maps closely to an engineer's brain in how it works. It's a tool that's flexible."

A SIEM, Tosheff noted, also doesn't cover the whole gamut of potential data input sources. "You have to be committed to owning that [responsibility] and building things for your own context. You can't just buy off the shelf."

Wanted: More data scientists

Still, even with the best combination of commercial tools and custom rule sets, the panelists concurred that trained, talented data analysts are needed to identify anomalies and the attack campaigns that machines can't always see.

However, talented data analysts can be hard to find. As one audience member said to the panel, data scientists are among the most sought-after people in IT today. Safai said he's alleviated the problem to a degree by using university co-op students to analyze data in exchange for real-world experience.

"From my own experience, you can find talented data analysts in engineering communities," Money said. He said companies he's worked with have offered IT pros in various other roles the opportunity to analyze data on the side, rewarding them by paying for their travel expenses to industry conferences.

"If you know any 18-year-old kids," said Lee -- perhaps best summing up the panel's frustration over the industry-wide scarcity of data analyst talent -- "pry the X-Box controllers from their hands and tell them to get into this field."

View all of our RSA 2013 Conference coverage.

Dig Deeper on Data security technology and strategy