Drawing Big Data Insights from a Security Intelligence Cloud
If you want to skate to where the puck is going in security today, it’s best to think big – as in Big Data. To detect stealthy breaches by advanced adversaries, you need to analyze a greater volume and variety of data, at a greater velocity – the so-called “3 V’s” of Big Data. Big Data analytics is as critical to security as to any other field, because it holds the promise of analyzing data sets too large to process in the past – in other words, solving previously unsolvable problems. In this way, it can help discover insights – such as security compromises or malicious behavior – that would have otherwise lay hidden.
The best way to obtain security analytics at Big Data scale is with a purpose-built security intelligence architecture that can scale to meet your needs, unpredictable as they might be. You want a solution that can expand as your business grows, as you analyze new types of security data, and as your security process maturity increases. One requiring minimal administration but offering maximum flexibility. In other words, a security intelligence cloud.
Just what is a security intelligence cloud? (No, it’s not a cloud-delivered security intelligence solution.)
It starts with the building blocks of security intelligence:
- Integrated capabilities for SIEM, log management, behavioral anomaly detection, configuration & vulnerability management, and forensics
- Via a pre-packaged and scalable solution, just as you would expect from a SaaS application
This contrasts with the inflexible architectures and non-scalable databases of legacy security products.
Let’s consider the most appealing characteristics of cloud computing and their role in a Security Intelligence (SI) Cloud:
- Scalability and elasticity – This is arguably the most central aspect of cloud computing, and the security intelligence cloud in particular. Through an architecture that supports high-speed data collection and real-time correlation, using a flexible and distributed database, an SI cloud not only performs security analytics at Big Data scale but also adjusts on-demand to changing needs.
- Location independence – A security intelligence cloud enables you to capture data from anywhere in your network, correlate it globally, and make it available instantaneously to users worldwide. By using a federated, distributed data architecture that abstracts physical data stores, an SI cloud eliminates underlying data management complexity – just as an IaaS cloud solution abstracts the physical locations and capacities of server hardware from the IaaS customer.
- Agility – An essential element of the cloud model, agility is critical for security intelligence deployments because the volume and variety of data monitored will grow over time, and you might need to change the types or locations of data collection sensors across your network.
- Cost structure – Whether you deploy your security intelligence cloud on a (virtualized) cloud platform might determine how much you end up substituting operational for capital expense, but either way, an SI cloud should provide a cost-effective and growth-friendly solution that doesn’t require large expenditures for incremental volume increases.
- Maintenance – An SI cloud can offer further benefit through the use of appliances that are pre-configured and require minimal infrastructure management. This allows users to focus on the task at hand: detecting the risks that matter and remediating them appropriately.
- Reliability – A modern SI cloud offers native, integrated high availability and data redundancy to enhance overall reliability, like public cloud services.
Just as server virtualization is a foundational technology for cloud computing, a security intelligence cloud can leverage virtualization for cost and agility benefits, as warranted by the organization’s preferences, existing virtual infrastructure, and provisioning speed requirements. It can run on-premise, off-premise or in a hybrid of both. While most customers find the provisioning of hardware appliances fast enough, virtual appliances provide an excellent option when on-demand capacity is needed in minutes.
What’s most important, though, is for the SI cloud to provide a highly elastic data management layer, so that actual system capacity can increase proportionately with storage and computing, rather than get bottlenecked due to architectural constraints.
Collectively, these capabilities enable a security intelligence cloud to be an agile platform for big data security analytics. And we believe QRadar provides the ideal security intelligence cloud, because it fits the requirements above so well.
Major enterprises are using QRadar today to collect and correlate billions of events and network flows per day, in deployments that span multiple locations and connect previously siloed operational groups.
- A Fortune 100 telecommunications provider collects and monitors one million events per second – more than 85 billion events per day – to ensure security and regulatory compliance across its massive customer operations.
- A global energy company uses QRadar to ensure NERC and PCI-DSS compliance (monitoring 6 million card swipes per day) while correlating 2 billion events per day. It performs real-time analysis to determine the 25-50 priority incidents that matter each day – for a roughly 40-million-to-one data reduction ratio.
With the recent release of QRadar 7.1, there are even more ways to use QRadar in the cloud, and to manage big data security analytics. For example, Index Management enables higher performance and better use of storage, through advanced reporting and tuning capabilities. QRadar is also complemented by several recently released IBM Security products that are making cloud computing safer and more effective.
For a related perspective, I also recommend my colleague Chris Poulin‘s recent paper which discusses how an organization’s security or risk management group can use security intelligence as an internal cloud service to support groups such as firewall management, systems management and network management.
To close with another of my favorite Gretzky quotes, you miss 100 percent of the shots you don’t take! Don’t miss your chance to learn what a modern security intelligence solution can do for your business. Take the next step in our QRadar Resource Center.