Building Proactive Security with Big Data

Big Data Business Solutions Executive - Energy & Utilities, IBM

The issue of security for the energy and utility industry has historically focused on the physical security of its sites and keeping hackers from accessing the IT environment. This has been reasonably easy to manage as there are limited endpoints, many of which operate in isolation. But this is changing.

“A cyber attack perpetrated by nation states or violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation.”
Leon Panetta, U.S. Secretary of Defense[1]

Smart meters and smart grids are dramatically increasing the number of “nodes” on the grid with connectivity via head ends into core business infrastructure. Each meter or sensor is a possible point of intrusion for a malicious agent. While encryption and communication protocols can address many security issues, a determined hacker can still infiltrate and disrupt a utility, potentially affecting millions of consumers.

Firewalls, antivirus programs, intrusion prevention systems (IPS), and security incident and event monitors (SIEM) function only within the realm of known threats. Such signature-based approaches exist in a paradigm that watches for the reappearance of previously exampled attack signatures. But this paradigm doesn’t address new and unknown types of threats.

Growing numbers of malicious entities are utilizing ever-more sophisticated techniques of attack. To better defend the network, cyber-security analysts must monitor, collect and archive terabytes, if not petabytes, of network traffic data, and apply specialized forensic tools. By analyzing this big data, analysts can uncover suspicious and malicious activity that may already be present on the network.

In most enterprises today, however, there is little or no record kept of network activity. Even in cases where traffic is being monitored, the duration of the archive is typically very short, and the tools for searching the logs are rudimentary or non-existent. Without a substantial and usable record of network activity, it is nearly impossible to investigate and make sense of a serious intrusion, let alone learn how to prevent similar, future incidents. Furthermore, traditional cyber-analytics systems require high-cost maintenance, and even then, accessing and analyzing data is slow. There are very few tools to make sense of the logs, other than hard-to-use command line tools with arcane syntax, or reporting tools that show simple roll-ups or aggregates of the data.

Today’s cyber security analysts want answers to the following questions:

  • What am I missing?
  • What will allow me to detect “low and slow” threats occurring over time?
  • How can I identify suspicious activity disguised as normal traffic?
  • How can I move from a purely reactive cyber-defense system to one that will anticipate and block new types of attacks?

A new paradigm is emerging in security that analyzes all the activity on networks, not just activity that is already known to be malicious. Importantly, it’s essential that all historic traffic is continuously re-evaluated as new intrusion techniques are exposed.

At a high level, the best analytics-based, cyber-security solutions should include:

  • Real-time correlation and anomaly detection of diverse security data
  • High-speed querying of security intelligence data
  • Flexible big data analytics across structured and unstructured data – including security data; email, document and social media content; full packet capture data; business process data; and other information
  • Graphical front-end tool for visualizing and exploring big data
  • Forensics for deep visibility

Beyond the legacy “filter and block paradigm” of firewalls and IPS, there is now a proactive, predictive solution that can detect anomalous activity and prevent it from doing harm. Armed with the capabilities of massive data storage, high performance computing and powerful new analytic tools, cyber-security analysts can take action. They can stop, mitigate and prevent the compromise, exploitation and ex-filtration of critical information assets.

The IBM Security Intelligence with Big Data solution delivers exceptional threat and risk detection by combining deep security expertise with analytical insights on a massive scale. To help you address security threats, the IBM solution combines real-time correlation for continuous insight, custom analytics across massive structured and unstructured data, and forensic capabilities for irrefutable evidence—a combination that provides the advanced insight you need to thwart today’s cyber criminals.

More on cyber security