Big Data, Better Security

rhuber    November 16, 2012

Yesterday, I was invited to speak to the SF Cloud Mafia group about what we do at Risk I/O.  As I mentioned during the presentation, I trashed my original slides at 5pm the previous night because they felt too ‘salesy’.  I am happy to have you try Risk Cloud Mafia I/O, but really I want to sell you on the ideas and motivations behind what we are developing.  Please check out the slides at the end of this posting, as it  loosely follows them.

In security, a vulnerability can take many forms: default passwords, misconfigured servers, unfiltered requests, etc etc etc.  These are problems that are well understood, and yet according to the latest Verizon Data Breach Investigations Report (DBIR), there are some very troubling statistics.  Some that really resonate with me are:

1) 97% of the breaches were “avoidable through simple or intermediate controls”
2) 94% of all data compromised involved servers
3) 79% of victims were targets of opportunity

Today, we have a wealth of security tools including scanners, IPS, SIEM, netflow, log aggregators, but still we see individuals and businesses burned by common flaws that should be easy to resolve.  The problem isn’t that we don’t know where to look for information, it’s that we don’t know which issues to focus on.  Additionally, the process of remediating vulnerabilities is not scaleable.  Where we have made great strides in reducing tedious processes in operations (i.e. DevOps), security engineers can find themselves with too little time and too many open issues to manage.

Try, as I did a couple of days ago, running a scan of your home network using any popular security tool.  Which items first catch your attention?  Most likely the critical and/or high-level vulnerabilities.  Consider a larger corporate example with thousands of hosts or more.  The number of critical and high-level vulnerabilities found will likely leave you no opportunity to follow up on anything below a medium.  This is the wrong way to view your infrastructure.  A critical vulnerability on an internal test server is probably less urgent than a medium or high-level vulnerability on your production webserver.  This is where intelligent scoring can improve our efficacy in remediation.  Utilizing an ‘all the things’ approach allows us to model and predict based on a broad set of criteria.  Additionally, as more companies use Risk I/O, the better our predictive models will evolve.  Leveraging data from multiple IDSes will allow us to understand the ‘now’ threats as opposed to perceived threats.

Security and vulnerability management need to evolve into workflows that keep engineers, erm, engineering?  The more time wasted on manually sorting and interactive follow up, the further organizations, especially large ones, will fall behind the curve and the worse these statistics become.  We have plenty of data, we just need a better way to classify signal and noise.

Leave a Reply

Your email address will not be published. Required fields are marked *