-a sneak peak at the Verizon 2014 Data Breach Investigations Report, which found the time it takes for an attacker to compromise a system in three-quarters of breaches is days or less, but less than 25% of breaches are discovered in days or less; and,
However I did get a prebrief from RSA, EMC’s security division, about two announcements prior to the annual security sell-ebration: a new partner program, RSA Managed Security Partner (MSP) Program, to deliver managed services, and a Big Data reference architecture for Security Analytics created with Pivotal, another EMC relation, courtesy of VMware.
The MSP program, which will provide partners with tools and training to deliver Security Operations Center capabilities (including RSA Security Analytics) and offer managed security and incident response services, has been started with 5 participants, including Verizon Enterprise Solutions and Foreground Security. It is more of a formalization of existing education and training initiatives than anything really new, said RSA’s Seth Geftic, advanced threat and security product marketing expert. In large part, it is intended to address the critical shortage of qualified security professionals.
“I don’t think I’ve come across one organzation, even the largest, that said it is easy to find the people. We need to turn our security teams into hunters.”
The two primary drivers behind the reference architecture are that there are a lot more determined and well-funded attackers, and IT environments are getting so complex attacks can hide in plain sight, said RSA’s Paul Stamp, Director, Product Marketing. “Both of these efforts are highly data-intensive.”
The refence architecture addresses the needs for greater visibility, enhanced analytics, actionable intelligence, enterprise deployability and scale, and flexibility and agility. All-in-all, it’s a good thing for organizations to help reduce the risk of loss, reduce their deployment risk, rely less on scarce Data Science expertise – all while achieving a better return on investment by using their existing security team better, and getting to use their Big Data infrastructure across the organizations, he said.
Comprised of RSA Security Analytics and Pivotal’s open-source Hadoop framework, the Big Data reference architecture for Security Analytics is intended to be a guide for enterprises looking to create a scalable approach to security analytics, that ties in with a wider approach to analytics of IT operations data and the creation of an Enterprise Data Lake (vast repositories that are landing zones for any and all enterprise data that might potentially be interesting in the future).
While one of the most important trends in IT, there is still confusion around what technologies to leverage in order to derive maximum value from these disparate information sources, said ESG Senior Principal Analyst Jon Oltsik in a prepared statement. “From an information security perspective, modern data centers produce huge amounts of data about themselves that can help improve security availability, performance and efficiency, but it’s often captured in silos and tough to correlate an analyze. The foundation offered by RSA and Pivotal will be extremely valuable not only for organizations looking to bolster security capabilities, but also those considering expanding their Big Data strategy beyond just security.”
There is no shortage of data that supports the upcoming Verizon condemnation of the current state of security, especially from security vendors. From a slightly less-biased perspective, a recent survey of security professionals by Enterprise Strategy Group reported:
-42% believe that “keeping up with the latest threats and vulnerabilities” is “much more difficult” or “somewhat more difficult” than it was two years ago;
-39% believe that “keeping up with internal security skills” is “much more difficult” or “somewhat more difficult” than it was two years ago;
-38% believe that “overall security monitoring” is “much more difficult” or “somewhat more difficult” than it was two years ago;
-35% believe that “recruiting/hiring new security professionals” is “much more difficult” or “somewhat more difficult” than it was two years ago; and,
-33% believe that “managing disparate security point tools” is “much more difficult” or “somewhat more difficult” than it was two years ago.
Stamp agreed that there is clearly room for improvement on security spendng, especially with most budgets – around 85% – devoted to detection, and not quickly resolving the issues. “The security team is like the immune system: they’re trying not to stop the patient from being infected, but from getting sick.”
Earlier this month RSA updated and rebranded its Silver Tail offering – no known as RSA Web Threat Detection (v4.6) – to provide insight into third-party functionality embedded in Websites. Back in October, at its RSA Conference Europe 2013, the company released a number of new products, services and a roadmap for next-generation security operations intended to help all customers – advanced (5-10%), intermediate (20-30%) and the rest, mainly SMBs (60-75%) – deal with a security market that is evolving to a more holistic approach.
Going forward, RSA is focusing on three directions, said Geftic. First, providing extra visibility, from endpoint to the cloud; second, the analysis we need to perform needs to get ever-more advanced; and third, we need to put information into the right hands to take action.
The Fiddly Bits
The RSA and Pivotal reference architecture provides insights into the visibility, analytics and actionable intelligence organizations need to detect and investigate today’s security threats while also providing a solid foundation for a broader ‘IT Data Lake’ strategy, to control costs and enable IT to gain maximum value from analytics about IT systems. Together, the two can provide security analysts and incident responders with:
-greater visibility through full network packet capture, log collection and contextual data enrichment to spot threats designed to evade detection by common security tools;
-enhanced analytics right at the time of capture and throughout its lifecycle to its archival and retirement, to spot interesting conclusions and indicators of attack and compromise;
-actionable intelligence through data visualization, feeds of suspicious activity, and prioritization of alerts that allows analysts to respond appropriately to threats;
-enterprise deployability and scale, using distributed, high availability, scale-out architectures that allow for expansion and flexibility to scale to the largest of environments; and,
-flexibility and agility through the ability to take advantage of new analytics modules and new data sources as they are developed or integrated, ensuring security operations are ‘future—proofed’ as threats and business processes evolve.
To be anchored by Verizon Enterprise Solutions as its marquee global partner (four other managed security service providers have also signed on), the RSA Managed Security Partner (MSP) Program leverages intelligence-driven security solutions such as RSA Security Analytics to better detect and mitigate advanced threats. The RSA products and services are designed to enable program members to deliver:
-comprehensive visibility, incorporating full network packet capture, logs, events, endpoint-sourced data, asset information, location of sensitive content, vulnerability information and other business and technical context;
-advanced security monitoring for detection, investigation, remediation, and management capabilities in a cost effective, off-the-shelf, modular yet integrated portfolio/solution;
-improved threat detection and investigative value that automatically enriches internally collected security telemetry with external threat and custom intelligence data;
-prioritized investigations and activity analysis based on customer or MSSP context, criticality, and the location of sensitive data;
-advanced endpoint malware detection and cleanup on endpoints and via the network without depending on file signatures;
-security incident management via customized advanced workflow management, notification and reporting functionality for incident management by MSSP or customer; and,
-skills enhancements for MSSP analysts via advanced security training and certification.