As I've written many times, the age of big data security analytics is already upon us. In fact, 44% of large organizations characterize their security data collection, processing and storage activities "big data" today, while another 44% believe that their security data collection, processing, and storage activities will become "big data" within the next 2 years.
While the age of big data security analytics may be here however, most enterprises face a growing conundrum. On the one hand, they need big data security analytics to make more informed decisions about what's happening and what to do. On the other hand, they don't have the staff, skills, or processes in place to handle big data analytics -- let alone reap any of the potential benefits.
This is actually a pretty big deal as enterprise security is a story of haves and have nots. Based upon ESG research, about 17% to 22% of large organizations fit into an "advanced" category capable of embarking on the big data security voyage alone. That leaves roughly 80% who need help in one form or another.
To bridge this huge gap, big data security analytics solutions must respond with:
1. Canned algorithms. While elite organizations will have teams of security analysts, programmers, and data scientists working together, most organizations will depend upon their security analytics vendors to deliver a constant stream of canned algorithms detect infected hosts, network reconnaissance, credentials harvesting, and Command & Control (C&C) communications. Some may even provide algorithms for more complex long-term investigations. Vendors like Click Security, eIQ, IBM, LogRhythm, RSA Security and Splunk with the ability to turn programming into pull-down menus, have a huge opportunity ahead.
2. Deep intelligence. Ideally, large organizations need to know everything about their networks -- what assets are connected, how they are configured, what other assets they communicate with, etc. Oh and they also need to fully understand network traffic patterns to detect anomalous or suspicious behavior. To complete the picture, they need external security intelligence feeds about what's going on in the wild. Big data security analytics act as an intelligence hub in this scenario by correlating situational awareness (i.e. what's going on in internal/external networks) and continuous monitoring (i.e. network assets, configurations, and vulnerabilities). McAfee's "security connected" architecture seems well positioned here.
3. Automation. There are simply too many threats, vulnerabilities, events, and network packets for humans to keep up. While the security community is skittish about installing security devices in blocking mode, this has to be part of a big data security analytics solution moving forward - an analytics engine spots a problem and then takes action. It's likely that network security devices will act as enforcement points here so the market tilts toward Check Point, Cisco, Juniper, and Sourcefire.
Sign up for Computerworld eNewsletters.