January 6, 2015 By Kimberly Madia 3 min read

Big data security analytics are vital for 2015. Unfortunately, security threats will only increase in cost, severity and complexity. No one is immune. For example, a large utility is typically “pinged” 1 million times every day by malicious parties. That sounds like a lot, but these attacks are rarely noticed because the same utility processes millions of events per second, offering plenty of cover. Current approaches are best suited to combat known threats. The challenge is finding new associations and uncovering patterns to identify clues about attacks such as advanced persistent threats, spear phishing and hacktivism.

Among the noise of big data, organizations need sophisticated, real-time analytics to find a relatively weak signal. Many threats cannot be detected without deep insight. The challenge organizations face is learning how to extend their security strategies to find and neutralize increasingly complex threats.

Real-time big data security analytics must filter and analyze millions of events per second across a wide variety of data sources, including traditional security sources, such as log or audit files, and emerging sources such as images, social data, sensors and email.

Think of big data security analytics in terms of a city. A city has roads leading into and out of the city limits. Air traffic from planes, emergency helicopters and blimps for sporting events fill the air. Buildings contain private, governmental and for-profit organizations of all sizes; commerce takes place in retail establishments, hotels and via free citywide wireless services — you get the point. A lot needs to be done to protect people, vehicles, personally identifiable data and corporate data, but most of it is neither controllable nor predictable. Can you correlate a business traveler’s Internet usage across airports, hotels and mobile devices without violating privacy laws? What do you need to succeed?

The following are five tips to help you protect your “city” in 2015:

1. Analyze All Assets in Motion

Analyze structured data and emerging unstructured sources to proactively identify and correlate incidents and deliver insight. Send real-time alerts for predefined behaviors and events. Quickly ingest, analyze and correlate information as it arrives from thousands of big data sources or store for historical analysis in a Hadoop platform.

2. Continually Filter and Expose

Observe unearthed insights in real time to filter out false positives, expose false negatives or store information for additional analysis.

3. Understand Access Through Disparate Sources and the Internet

Highlight potential attack vectors by constantly analyzing the various ways applications, networks, databases, mobile devices and more can be accessed from both inside and outside of the enterprise.

4. Respond to Events in Real Time

Complete real-time analysis of big data — including unstructured sources such as social, video and sensors — to identify and respond to suspicious deviations from baseline behaviors.

5. Recognize Patterns in Interactions

Create a baseline activity for cybertraffic and physical movements to identify deviations from normal behavior, then determine which deviations are meaningful to help detect attacks in progress.

The Importance of Security Analytics

Big data security analytics let organizations sift through massive amounts of data — generated inside and outside the organization — to uncover hidden relationships, detect patterns and remove security threats. Security analytics blend real-time analytics on data in motion with historical analysis on data at rest. By deploying security-specific analytics, organizations can find new associations or uncover patterns and facts. This real-time insight can be invaluable for detecting new types of threats.

Real-time cyberattack prediction and mitigation means organizations can discover new threats early and react quickly before they propagate. The goal is crime prediction and protection. Analyzing data from the Internet (email, voice over IP), smart devices (location, call detail records) and social media can help law enforcement better detect criminal threats and collect evidence. Instead of waiting for a crime to be committed, organizations can address it proactively.

Privacy policies are enhanced with big data security analytics. For example, an organization could use real-time streaming security analytics for deep packet inspection to monitor Web traffic, Domain Name System lookups, network flow and port and protocol usage. The outcome of this analysis could reveal precisely which Web servers have been infected with malware, identify suspicious domain names, pinpoint leaked documents and deliver intelligence on data access patterns.

This detailed analysis informs data protection policies. Analytics can help organizations know which data to mask, which documents to redact and which data sources, including databases, data warehouses and big data platforms, to monitor.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today