Cyber security in today’s enterprise is somewhat synonymous. Organizations are now challenged with ingesting huge amounts of data and what to do with them, cyber security is no exception.
Fairfax County’s Next Generation Cybersecurity Program’s main objective is to deploy nextgen security technologies that use big data for smart analytics, monitoring, detection, notification, and reporting. A combination of regulatory compliance and policy require us to retain large amounts of data. Most vendor solutions (endpoint security, email security, nextgen firewall, Security Incident and Event Management (SIEM), DNS security) implemented in our cyber security-in-depth infrastructure approach applies some Machine Learning (ML) and Artificial Intelligence (AI) into the data for anomaly detection and predictive analysis. These solutions have their own central data collection, shared across their client base and security threat databases across the cloud, applies those ML/ AI techniques. ML enables automated analysis of huge data sets for high and effective detection performance. Features within security devices are used that will enable detection and smart blocking to bad sites and applications. (use of URL Filtering databases, malware analysis and prevention, DNS security, etc.). Maintaining a database of known bad domains and URLs out there also adds to the defense in depth capabilities.
For our SIEM and future log and event management needs from applications, server systems, IoT, critical infrastructure, HIPAA & PCI related infrastructure, we are utilizing one of the industry best SIEM products. Defense in depth only works well if one knows what is going on around them, utilizing our SIEM, we are able to ingest huge amounts of data or high message rates from every security source (firewalls, IPS, email security systems, management systems, authentication servers, endpoint security, endpoint security systems, mobile device management), network devices (routers, switches, wireless controllers), Microsoft servers ( Exchange, AD, etc.), web and application servers, etc. The SIEM uses machine learning/AI to predict when and where we can act fast to minimize security incidents and be proactive.
"Big data analytics allows us to identify anomalies and advance attack vectors proactively"
We mainly use big data analytics in security to:
• Identify anomalies in device behavior. Events and data from endpoint security—identify anomalies in employee and contractor behavior. For example, someone downloading large amounts of data from a critical system, database system, or a system that contains private corporate data.
• Identify and monitor privilege access to any system
• Detect anomalies in the network. Sudden spikes of connection and data rates from the norm, sudden spikes of DNS requests and lookups from protected systems and user devices, routing protocols bouncing, interfaces bouncing, switch/router CPU sudden increase. Sudden spikes of Internet “outbound” data rate will send alerts
• Monitor and detect repeated authentication failures
• Identify and monitor sudden spikes in CPU and hardware resource usage.
• Identify and monitor internal systems with regards to their destination IP addresses. Geolocation and geoblocking identification. For example, traffic destined to countries that we don’t do business with.
Big data analytics allows us to identify anomalies and advance attack vectors proactively. The use of ML combined with cloud threat prevention data and advanced correlation techniques is key to detect threat activities and respond when needed before it’s too late. As you can see, big data plays rolls in multiple disciplines and cyber security is one of them. The smart way to handle big data is to not reinvent the wheel by creating stove pipe systems or data bases that cannot be shared across disciplines.