The number of attacks on organization's' IT infrastructure are continuously increasing. It is becoming more and more difficult to identify unknown threats, in particular. This problem requires the ability to store more data and better tools to analyze the data.
Learn in this webinar why big data is enabling new security analytics solutions and why the MapR Quick Start Solution for Security Analytics offers an easy starting point for faster and deeper security analytics.
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Security Analytics and Big Data: What You Need to Know
1. David Monahan
Research Director
EMA
Security Analytics and Big Data: What You Need to
Know
Sameer Nori
Senior Product Marketing
Manager
MapR
Nick Amato
Director Technical
Marketing
MapR
4. David Monahan
Research Director, Security and Risk Management
Enterprise Management Associates
http://www.enterprisemanagement.com
@SecurityMonahan
The Convergence of
Security Analytics and Big Data
April 27, 2015
Hacking mentality has changed:
Less nuisance hacking
More financially motivated
Significant socio-political motivation (Nation-State)
Significant industrial espionage
Data breaches affect every industry
Healthcare, Retail, Government, Education, Food Service…
Organizations are being attacked from all sides
External threats
If Knowledge is power and money is power…Then Knowledge is Money
That’s why attackers are after the data
Insider threats
Equivalent of IT Road-Rage
All information is up for grabs
Emails most compromised
Credit Cards Second most
PII most valuable per record
Industrial and tech IP very valuable
EMA research identified several troubling statistics about identifying and responding to threats:
69% of organizations were between “Highly Doubtful” and only “Somewhat Confident” that they could detect an important security issue before it had a significant impact.
Only 22% of organizations believe they are consistently successful in in correlating security data to business impact.
Top frustrations with IT Security Practices:
41% too difficult to distinguish between legitimate and malicious activity technical issues.
33% said inadequate ability to report/communicate meaningful information to business stake holders (e.g. reporting to the board)
Ponemon Institute identified that:
60% said their enterprises were unable to stop exploits because of outdated or insufficient threat intelligence.
SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. (Wikipedia)
This is limited “analysis” based primarily upon correlation and normalization of alerts.
SIEM understands network information and log entries to correlate events at a network level and identify system/application alerts.
SIEM only understands deltas for those things inside of its defined rules or policies
SIEM does not understand human, system, and application specific activity and patterns (behaviors) to determine how some activities raise the threat level.
Post notification SIEM requires manual investigation for details.
EMA 55% of organizations said they still conduct manual incident investigations
Security Analytics leverages machine learning, Big Data scalability, Trend Analysis, behavioral analysis and other techniques to identify abnormal activities or trends by individual users, systems, and/or applications.
95% of organizations have heard about Security Analytics 70% said they either have or are actively pursuing a project to invest in it.
Security Analytics Improvements:
Better context and fidelity
Reduce alert volumes
Reduce False positives
Provide better prioritization
Accelerate Incident Response
EMA Research identified that strong data analysis is key to success
95% of organizations that use Security Analytics said that the tool produced expected or greater than expected value.
90% of organizations using Security Analytics say have seen a reduction in false positives or an improvement in actionable alerts since they implemented a Security Analytics technology.
Global bank fraud costs $200B annually)
Zions Bank Fights Fraud, Gains Insights and Cuts Data Storage Costs with MapR
The Business
Zions Bank, based in Salt Lake City, Utah, is a subsidiary of Zions Bancorporation that operates more than 500 offices and 600 ATMs in 10 Western U.S. states. As a full-service bank, Zions offers commercial, installment and mortgage loans; trust services; foreign banking services; electronic and online banking services; automatic deposit and nationwide banking and transfer services; as well as checking and savings programs.
Challenge
“Being a financial institution, we have a bull’s-eye painted on our backs,” says Michael Fowkes, Zions Bank SVP Fraud Operations and Security Analytics. “Crooks want to steal money, and banks are often a target, so fraud protection is critical to our business. If fraud gets out of control, it eats into our profitability.”
The Zions Bank Fraud Operations and Security Analytics team maintains data stores, builds statistical models to detect fraud, and then uses these models to data mine and evaluate suspicious activity.
Zions has been refining their solution over the past 8-9 years. Fowkes explains that about eight years ago they found that when they loaded in a lot of data, performance degraded significantly when they tried to do reporting.
“We always kept our eye out for new data stores. When it came time to refresh our data stores, we decided to go to Hadoop,” says Fowkes.
MapR Solution
Zions Bank chose MapR for its security features, NFS mountable file system, high availability, ease of management and its superior performance capabilities, which allow for a more efficient use of hardware and a better ROI.
The bank relies on MapR for a critical part of their security architecture. MapR helps Zions predict phishing behavior and payments fraud in real time and minimize their impact. With MapR, Zions can run more detailed analytics and forensics.
Benefits
The bank has seen multiple benefits from their MapR solution:
Cuts storage costs in half
Zions is seeing significant benefits from a storage perspective. With their other data sources, they had to hold on to source data sets so they still have the original data. MapR eliminates the need to have multiple data sources.
“When we cut over to MapR, we cut our expenses in half from a data storage perspective,” says Fowkes. (Michael, do you need to get clearance on this quote?)
Cost effective to scaleSince MapR scales linearly, capacity planning is much easier. “We know that growth won’t be incredibly expensive like with distributed database platforms which charge per terabyte of storage. This can get quite expensive,” says Fowkes. “The others cost a lot more to scale. MapR allows us to scale at a reasonable price.”
<Michael, can you provide any specific metrics about the difference in cost to scale with the MapR solution? >
Increases accuracy, speed and insightsFowkes explains that before, when you created a statistical model, you had to use sample data. “MapR allows you to wrangle large amounts of data,” he says.
“You can use all of your data and create a more accurate model. This is also used in forensics so we have one place to research what happened.”
Two years of data add up to about 1.2 petabytes of data. Wrangling this amount of data used to be daunting. “In the past, it could take a full day. Now we can do a data query of two years of data in 30 minutes,” he says.
Multiple uses for data storesCentralizing data stores serves multiple uses—from data security to fraud detection to risk management to customer marketing. “We initially got into centralizing all of our data from an information security perspective. We then saw that we could use this same environment to help with fraud detection,” he says.
“Now that we have this data we know we can do more with it. Right now we’re working on a business project on the marketing side, completely outside of fraud and info security. It’s the same data to look at on the business side for customer analytics,” he says. “And our risk group leverages data that’s used in the system too. Having a more granular view of data, you get additional insights.”
Summary
MapR is enabling Zions Bank to improve its security infrastructure while reducing costs. They’ve been able to cut storage costs in half, scale their solution cost-effectively, make more efficient use of hardware, make statistical models more accurate, increase the performance and speed of high volume data queries, generate deeper insights and help them leverage their data stores across several aspects of the business.
Objectives: As a leading Managed Security Service Provider (MSSP) in North America, Solutionary delivers managed security services and professional consulting services to mid-sized organizations and global enterprises. They wanted a platform that can scale effectively to address their growing customer base by processing trillions of messages (petabyte) per year while continuing to provide reliable security services. They also wanted to improve data analytics by leveraging newer, more granular unstructured data sources
Challenges: Founded in 2000, the company uses proprietary security analytics technology to reduce risk, increase data security, and support compliance initiatives for its clients. They had challenges around increasing data analytics capabilities to improve clients’ security. They had issues scaling the current solution based on RDBMS as number of clients and data volume grow.
Solution: The MapR M7 Enterprise Edition for Apache Hadoop, a Cisco Compatible product used by Solutionary, leverages an architecture designed specifically for high availability to offer advanced features not available with other Hadoop distributions. The MapR Direct Access NFS feature delivers true industry-standard NFS that enables Solutionary to smoothly integrate with existing systems without sacrificing performance. Data snapshots and mirroring provide reliable data protection for enhanced data security, while monitoring through the MapR Heatmap enables staff to view cluster health and current capacity at a glance.
Business impact:
Detection of advanced and sophisticated attacks through analysis of unstructured data while linking enriched structured asset and contextual data
Reduced time needed to investigate security events for relevance and impact
Achieved performance and flexibility with incredible scalability via Hadoop’s clustered infrastructure. This infrastructure allows them to perform real-time analysis on big data in order to help protect and defend against sophisticated, organized, and state-sponsored adversaries
Solutionary Case study
http://www.mapr.com/sites/default/files/solutionary-cisco-case-study_1.pdf
The solution benefits the typical and most encountered audiences:
What do CISOs/CIOs get - large scale and deep analytics on security data to reduce risk that helps them with early detection of advanced persistent threats and unknown threats. It allows organizations to reach faster on any abnormal or malicious activity from internal and external actors and be able to avoid fines, lawsuits, loss of business and negative PR.
For the technical and operations team, you can build a data vault for security event logs from multiple sources. With more data to scrutinize, get insights into anomalous behavior and close loop with other security solutions. The platform is easy to administer and integrate with existing IT ecosystem.
Why MapR is the best Hadoop Platform for Data warhouse optimization? For business-critical applications you must have data protection and security (availability, data protection, and recovery), high performance (with random read-write system), multi-tenancy (to support multiple business units, isolate applications or user data,…), provide good resource and workload management to support multiple applications, and open standards to integrate with the rest of the IT ecosystem.
You also need a platform that is capable of super fast data ingestion from multiple sources and be able to make critical analytics and decisions at speed (in milliseconds), and at scale. Examples include breach detection based on information from multiple sources, fraud detection on millions of transactions that are based on individual patterns, fleet management and routing taking into account current conditions….This requires a Hadoop platform that can go beyond batch and support streaming writes so data can be constantly writing to the system while analysis is being conducted. High performance to meet the business needs and real-time operations the ability to perform online database operations to react to the business situation and impact business as it happens not report on it one week, month or quarter later.
Data Agility is needed for Business Agility. Drill provides instant ANSI SQL for Hadoop & NoSQL. You can explore data in its native format without expensive and time consuming transformation. You can analyze evolving and semi-structured/nested data from NoSQL databases, find what is of value and THEN model this in your DW schema for downstream ad-hoc reporting by 100’s or 1000’s of concurrent users.
Why MapR is the best Hadoop Platform for Security Log Analytics? For business-critical applications you must have data protection and security (availability, data protection, and recovery), high performance (with random read-write system), multi-tenancy (to support multiple business units, isolate applications or user data,…), provide good resource and workload management to support multiple applications, and open standards to integrate with the rest of the IT ecosystem.
You also need a platform that is capable of super fast data ingestion from multiple sources and be able to make critical analytics and decisions at speed (in milliseconds), and at scale. Examples include breach detection based on information from multiple sources, fraud detection on millions of transactions that are based on individual patterns, fleet management and routing taking into account current conditions….This requires a Hadoop platform that can go beyond batch and support streaming writes so data can be constantly writing to the system while analysis is being conducted. High performance to meet the business needs and real-time operations the ability to perform online database operations to react to the business situation and impact business as it happens not report on it one week, month or quarter later.
Data Agility is needed for Business Agility. Drill provides instant ANSI SQL for Hadoop & NoSQL. You can explore data in its native format without expensive and time consuming transformation. You can analyze evolving and semi-structured/nested data from NoSQL databases.
The power of MapR begins with the power of open source innovation and community participation.
In some cases MapR leads the community in projects like Apache Mahout (machine learning) or Apache Drill (SQL on Hadoop)
In other areas, MapR contributes, integrates Apache and other open source software (OSS) projects into the MapR distribution, delivering a more reliable and performant system with lower overall TCO and easier system management.
MapR releases a new version with the latest OSS innovations on a monthly basis. We add 2-4 new Apache projects annually as new projects become production ready and based on customer demand.
The MapR distribution for Hadoop is globally recognized as the technology leader
Forrester published a Wave for Big Data Hadoop Solutions where it placed MapR as the highest ranking product based on current offering as well as roadmap.
Cloud: MapR has been selected by two of the companies most experienced with MapReduce technology which is a testament to the technology advantages of MapR’s distribution. Amazon through its Elastic MapReduce service (EMR) hosted over 2 million clusters in the past year. Amazon selected MapR to complement EMR as the only commercial Hadoop distribution being offered, sold and supported as a service by Amazon to its customers.
MapR was also selected by Google – the pioneer of MapReduce and the company whose white paper on MapReduce inspired the creation of Hadoop – has also selected MapR to make our distribution available on Google Compute Engine.
Global bank fraud costs $200B annually)
Zions Bank Fights Fraud, Gains Insights and Cuts Data Storage Costs with MapR
The Business
Zions Bank, based in Salt Lake City, Utah, is a subsidiary of Zions Bancorporation that operates more than 500 offices and 600 ATMs in 10 Western U.S. states. As a full-service bank, Zions offers commercial, installment and mortgage loans; trust services; foreign banking services; electronic and online banking services; automatic deposit and nationwide banking and transfer services; as well as checking and savings programs.
Challenge
“Being a financial institution, we have a bull’s-eye painted on our backs,” says Michael Fowkes, Zions Bank SVP Fraud Operations and Security Analytics. “Crooks want to steal money, and banks are often a target, so fraud protection is critical to our business. If fraud gets out of control, it eats into our profitability.”
The Zions Bank Fraud Operations and Security Analytics team maintains data stores, builds statistical models to detect fraud, and then uses these models to data mine and evaluate suspicious activity.
Zions has been refining their solution over the past 8-9 years. Fowkes explains that about eight years ago they found that when they loaded in a lot of data, performance degraded significantly when they tried to do reporting.
“We always kept our eye out for new data stores. When it came time to refresh our data stores, we decided to go to Hadoop,” says Fowkes.
MapR Solution
Zions Bank chose MapR for its security features, NFS mountable file system, high availability, ease of management and its superior performance capabilities, which allow for a more efficient use of hardware and a better ROI.
The bank relies on MapR for a critical part of their security architecture. MapR helps Zions predict phishing behavior and payments fraud in real time and minimize their impact. With MapR, Zions can run more detailed analytics and forensics.
Benefits
The bank has seen multiple benefits from their MapR solution:
Cuts storage costs in half
Zions is seeing significant benefits from a storage perspective. With their other data sources, they had to hold on to source data sets so they still have the original data. MapR eliminates the need to have multiple data sources.
“When we cut over to MapR, we cut our expenses in half from a data storage perspective,” says Fowkes. (Michael, do you need to get clearance on this quote?)
Cost effective to scaleSince MapR scales linearly, capacity planning is much easier. “We know that growth won’t be incredibly expensive like with distributed database platforms which charge per terabyte of storage. This can get quite expensive,” says Fowkes. “The others cost a lot more to scale. MapR allows us to scale at a reasonable price.”
<Michael, can you provide any specific metrics about the difference in cost to scale with the MapR solution? >
Increases accuracy, speed and insightsFowkes explains that before, when you created a statistical model, you had to use sample data. “MapR allows you to wrangle large amounts of data,” he says.
“You can use all of your data and create a more accurate model. This is also used in forensics so we have one place to research what happened.”
Two years of data add up to about 1.2 petabytes of data. Wrangling this amount of data used to be daunting. “In the past, it could take a full day. Now we can do a data query of two years of data in 30 minutes,” he says.
Multiple uses for data storesCentralizing data stores serves multiple uses—from data security to fraud detection to risk management to customer marketing. “We initially got into centralizing all of our data from an information security perspective. We then saw that we could use this same environment to help with fraud detection,” he says.
“Now that we have this data we know we can do more with it. Right now we’re working on a business project on the marketing side, completely outside of fraud and info security. It’s the same data to look at on the business side for customer analytics,” he says. “And our risk group leverages data that’s used in the system too. Having a more granular view of data, you get additional insights.”
Summary
MapR is enabling Zions Bank to improve its security infrastructure while reducing costs. They’ve been able to cut storage costs in half, scale their solution cost-effectively, make more efficient use of hardware, make statistical models more accurate, increase the performance and speed of high volume data queries, generate deeper insights and help them leverage their data stores across several aspects of the business.
Objectives: As a leading Managed Security Service Provider (MSSP) in North America, Solutionary delivers managed security services and professional consulting services to mid-sized organizations and global enterprises. They wanted a platform that can scale effectively to address their growing customer base by processing trillions of messages (petabyte) per year while continuing to provide reliable security services. They also wanted to improve data analytics by leveraging newer, more granular unstructured data sources
Challenges: Founded in 2000, the company uses proprietary security analytics technology to reduce risk, increase data security, and support compliance initiatives for its clients. They had challenges around increasing data analytics capabilities to improve clients’ security. They had issues scaling the current solution based on RDBMS as number of clients and data volume grow.
Solution: The MapR M7 Enterprise Edition for Apache Hadoop, a Cisco Compatible product used by Solutionary, leverages an architecture designed specifically for high availability to offer advanced features not available with other Hadoop distributions. The MapR Direct Access NFS feature delivers true industry-standard NFS that enables Solutionary to smoothly integrate with existing systems without sacrificing performance. Data snapshots and mirroring provide reliable data protection for enhanced data security, while monitoring through the MapR Heatmap enables staff to view cluster health and current capacity at a glance.
Business impact:
Detection of advanced and sophisticated attacks through analysis of unstructured data while linking enriched structured asset and contextual data
Reduced time needed to investigate security events for relevance and impact
Achieved performance and flexibility with incredible scalability via Hadoop’s clustered infrastructure. This infrastructure allows them to perform real-time analysis on big data in order to help protect and defend against sophisticated, organized, and state-sponsored adversaries
Solutionary Case study
http://www.mapr.com/sites/default/files/solutionary-cisco-case-study_1.pdf
The solution benefits the typical and most encountered audiences:
What do CISOs/CIOs get - large scale and deep analytics on security data to reduce risk that helps them with early detection of advanced persistent threats and unknown threats. It allows organizations to reach faster on any abnormal or malicious activity from internal and external actors and be able to avoid fines, lawsuits, loss of business and negative PR.
For the technical and operations team, you can build a data vault for security event logs from multiple sources. With more data to scrutinize, get insights into anomalous behavior and close loop with other security solutions. The platform is easy to administer and integrate with existing IT ecosystem.
Why MapR is the best Hadoop Platform for Data warhouse optimization? For business-critical applications you must have data protection and security (availability, data protection, and recovery), high performance (with random read-write system), multi-tenancy (to support multiple business units, isolate applications or user data,…), provide good resource and workload management to support multiple applications, and open standards to integrate with the rest of the IT ecosystem.
You also need a platform that is capable of super fast data ingestion from multiple sources and be able to make critical analytics and decisions at speed (in milliseconds), and at scale. Examples include breach detection based on information from multiple sources, fraud detection on millions of transactions that are based on individual patterns, fleet management and routing taking into account current conditions….This requires a Hadoop platform that can go beyond batch and support streaming writes so data can be constantly writing to the system while analysis is being conducted. High performance to meet the business needs and real-time operations the ability to perform online database operations to react to the business situation and impact business as it happens not report on it one week, month or quarter later.
Data Agility is needed for Business Agility. Drill provides instant ANSI SQL for Hadoop & NoSQL. You can explore data in its native format without expensive and time consuming transformation. You can analyze evolving and semi-structured/nested data from NoSQL databases, find what is of value and THEN model this in your DW schema for downstream ad-hoc reporting by 100’s or 1000’s of concurrent users.
Why MapR is the best Hadoop Platform for Security Log Analytics? For business-critical applications you must have data protection and security (availability, data protection, and recovery), high performance (with random read-write system), multi-tenancy (to support multiple business units, isolate applications or user data,…), provide good resource and workload management to support multiple applications, and open standards to integrate with the rest of the IT ecosystem.
You also need a platform that is capable of super fast data ingestion from multiple sources and be able to make critical analytics and decisions at speed (in milliseconds), and at scale. Examples include breach detection based on information from multiple sources, fraud detection on millions of transactions that are based on individual patterns, fleet management and routing taking into account current conditions….This requires a Hadoop platform that can go beyond batch and support streaming writes so data can be constantly writing to the system while analysis is being conducted. High performance to meet the business needs and real-time operations the ability to perform online database operations to react to the business situation and impact business as it happens not report on it one week, month or quarter later.
Data Agility is needed for Business Agility. Drill provides instant ANSI SQL for Hadoop & NoSQL. You can explore data in its native format without expensive and time consuming transformation. You can analyze evolving and semi-structured/nested data from NoSQL databases.
The power of MapR begins with the power of open source innovation and community participation.
In some cases MapR leads the community in projects like Apache Mahout (machine learning) or Apache Drill (SQL on Hadoop)
In other areas, MapR contributes, integrates Apache and other open source software (OSS) projects into the MapR distribution, delivering a more reliable and performant system with lower overall TCO and easier system management.
MapR releases a new version with the latest OSS innovations on a monthly basis. We add 2-4 new Apache projects annually as new projects become production ready and based on customer demand.
The MapR distribution for Hadoop is globally recognized as the technology leader
Forrester published a Wave for Big Data Hadoop Solutions where it placed MapR as the highest ranking product based on current offering as well as roadmap.
Cloud: MapR has been selected by two of the companies most experienced with MapReduce technology which is a testament to the technology advantages of MapR’s distribution. Amazon through its Elastic MapReduce service (EMR) hosted over 2 million clusters in the past year. Amazon selected MapR to complement EMR as the only commercial Hadoop distribution being offered, sold and supported as a service by Amazon to its customers.
MapR was also selected by Google – the pioneer of MapReduce and the company whose white paper on MapReduce inspired the creation of Hadoop – has also selected MapR to make our distribution available on Google Compute Engine.