Big data security analytics: Facebook's ThreatData framework

Expert Kevin Beaver explains how enterprises can take a page from Facebook's ThreatData framework security analytics to boost enterprise defense.

Facebook has been a constant target of cyberattackers since its inception. It struggles to ward off malware and...

prevent fraud and its efforts constantly make the news. Yet it's likely fair to say that the threats Facebook is seeing behind the scenes are even more daunting.

When facing a threat, knowledge is power. Many companies are recognizing the power of threat analysis and security analytics to not only help thwart current issues but also improve incident response. Recently, Facebook announced its own foray into the big data security analytics arena with its ThreatData framework.

In this tip, let's discuss what the ThreatData framework is, how it works and why enterprises should be aware of its existence -- as well as what infosec pros can learn from it to better manage threats at their organizations.

Inside the ThreatData framework

With ThreatData, Facebook touts its ability to gather, process and analyze massive amounts of data quickly to respond to emerging threats in a timely manner.

The ThreatData framework serves as a model of what others are doing to address known and emerging security threats and may offer numerous lessons to use in an enterprise setting.

The big data security analytics framework is broken down into three main parts:

  • Feeds: This is data (referred to as "ThreatDatum") collected from various sources in various formats both inside and outside of Facebook, including VirusTotal, Web browser extensions and security vendors that specialize in such data gathering.
  • Data storage: These are the repositories, called "Hive" and "Scuba," where the data is housed and threat intelligence is extracted.
  • Real-time response: This is Facebook's response to the threats, which includes URL blocking and security information and event management (SIEM) integration.

In essence, ThreatData provides more context and greater visibility into malicious activity taking place around the Internet. These discovery and detection capabilities are precisely what most enterprises are missing in their information security program. Similar to the benefits of SIEM, this level of detail allows infosec pros to see the bigger picture rather than the more typical management of security in product or functional silos.

What the ThreatData framework means to the average enterprise

So why does any of this matter -- especially to enterprises that might have little involvement with Facebook?

The ThreatData framework serves as a model of the type of innovative framework high-risk organizations are implementing to address known and emerging security threats, and it may offer numerous lessons to use in an enterprise setting.

While the majority of organizations don't have nearly the security resources that Facebook has, many of the framework's threat intelligence "features" don't require massive resources to pull together -- features such as info on the latest phishing websites, malware in the wild, and related trends along with what, specifically, can be done about the threats.

Alternately, there are many third-party vendors -- such as Dell SecureWorks and Alert Logic -- that enterprises can outsource some if not most of this functionality to, including alerts on attempted attacks, known network malware infections, and behaviors and signatures to be on the lookout for, including real-time patching with technologies such as Web application firewalls.

The people in charge of security in many organizations -- especially small and mid-market enterprises -- often don't have a good idea of where things stand at any given time. Even when outsourcing such services, there's simply not enough manpower or niche security expertise to manage, much less respond to, these threats in a timely and reasonable fashion. Not all is lost, however: There's still hope to gain control of the enterprise environment.

The truth about enterprise defense

While understanding the enemy is important, it's not everything. Many forget that information risk is made up of threats and vulnerabilities. Enterprises can never truly eliminate the threat, but that's okay. If run-of-the-mill vulnerabilities involving patches, passwords and improperly secured information were nonexistent, what risks would these threats pose?

Still, there are headlines each week on "critical new threats" and sensational stories about "what you now must protect against." While this news makes for good drama, most of these issues probably don't require a drastic change to an enterprise's approach to security. Studies from Verizon, Trustwave and others have shown that fundamental (and fixable) flaws in the most commonly updated products from vendors like Microsoft, Oracle, Adobe and Cisco are being targeted most often, and those are the issues enterprises need to get under control first.

Enterprises must have their priorities straight. Most organizations don't need a new target to hit; the target is almost always right before their eyes. Rather than throw money, human resources and cool new technologies at the same old problem, enterprises need to correct the conditions that cause the risks in the first place. If organizations don't fix what's wrong, whatever is ailing them will continue to ail them regardless of the advanced information brought forth by any sort of threat intelligence framework.

I'm not suggesting that Facebook's ThreatData framework won't add value to its business or, in the long run, help those enterprises that leverage or allow Facebook access. It's certainly good for Facebook's user base. Nor would such a system detract from what enterprise security teams are trying to accomplish. Every informed security decision made requires context and detailed information about existing and emerging threats -- such as that which the ThreatData framework provides. Furthermore, some security vulnerabilities are out of an enterprise's direct control -- such as zero-day flaws and the numerous weaknesses in the fragmented world of Android.

Enterprises need to be wise about their security approaches. Big data technologies such as the ThreatData framework are not going to solve all enterprise security problems, but they can certainly supplement a security program, and even offer value to organizations that face a heightened risk posed by advanced threats. The best thing enterprises can do is to learn from ThreatData. Facebook not only has a solid approach to security event detection and response, but it also sees the bigger picture. Response is the new detection. It's not what's done to prevent every single threat from exploiting all known vulnerabilities but instead, what's done to minimize the impact to the network. Looking beyond the traditional NIST and ISO-IEC security standards, Facebook's ThreatData framework can serve as the basis for building out a more holistic approach to managing information security risks.

About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web and mobile applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies, The Practical Guide to HIPAA Privacy and Security Compliance and Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.

Next Steps

Learn how security analytics can be the key to reliable security data

Check out the essential analytics technology for advanced malware detection

How to build five key security analytics reports

Analytics tools that improve visibility and provide protection

This was last published in July 2014

Dig Deeper on Security analytics and automation