Why network security needs big data analytics


IT Security Thing invited Ray Watson from Masergy Communications to explain what big data analytics brings to the network security party.

It will come as no surprise when I say that we’re seeing drastic increases in the amount of data being generated by corporate networks. The complexity of that information is increasing as well. Alongside this, the value of stolen data is going up and the types of damage cyber criminals can do is growing more severe.

Couple these issues with the growing demand for skilled IT security professionals means we need to find a new way to tackle these problems. The good news is that technological advances in machine learning and artificial intelligence (AI) can provide a solution.

Machine learning in isolation doesn’t mean that employing big data analytics to IT security operations will be successful, though. To provide significant change towards improved security requires layering the big data gathering with human intelligence; analysing and feeding back into the system on threats, alerts and other anomalous activity, teaching the system what is a threat and what isn’t.

The human intelligence input helps machine learning systems to learn, and very quickly you have a system in place that understands what is a false positive and what is a genuine, real threat that needs to be actioned. As time goes by, the system continues to adapt.

Using big data analytics with machine learning in combination with human intelligence provides a new self-learning solution to the problem of sophisticated attacks and advanced threats. Polymorphic malware that would normally evade signature-based security technologies can be detected and stopped with a combination of advanced analytics, machine learning and human expertise.

Networking trends impacting security

By 2020, there will be more than 4 billion global internet users, 26 billion networked devices and connections, and global IP traffic will grow three-fold, reaching 2 Zetabytes, so states Cisco’s VNI Global IP Traffic Forecast report. The data volumes we’re seeing are growing exponentially. This is in part being driven by the internet of things (IoT), with the numbers of connected devices such as smart sensors rising towards 50 billion by 2020.

The other big trend to affect how we operate online, in addition to the IoT, is the increasing popularity of software defined networking (SDN) and network function virtualisation (NVF). More and more companies are taking advantage of the benefits of replacing individual routers, firewalls and switches with virtual machines.

While the move brings benefits for dynamically provisioning network services and streamlining operations, the switch to using virtual images that interact with each other for routing, firewalls or session border controllers, rather than individual appliances, may also increase the security risks to the network from a single compromised device.

Making changes to a corporate network to allow for SDN and NFV, without addressing and changing security will leave an organisation vulnerable to an attack.

Analytics to improve incident response

I hate to repeat the old security adage of “it’s not if, but when” and whilst we know that incorporating machine learning and big data analytics into security operations vastly improves an enterprise’s overall security posture, it simply can’t stop everything 100% of the time. Sadly, no security technology can. But big data analytics can also be utilised in a forensic analysis of a breach and greatly increase the response time to resolving the attack.

After a data breach or cyber attack has occurred, we know all too well the challenges involved in understanding how an attack was successful, and how the breach took place – more often than not you need a third party security team specialising in incident response investigations to come in. The new networking trends such as SDN, NFV and IoT are changing how the network operates, making forensic analysis more challenging.

With big data analytics in place, however, you have the massive amounts of data collected before, during and after a breach still available to accurately recreate the incident. Of course, analytics won’t lessen the damage of the breach, but it can allow you to take the data and simulate how your defences were defeated, as well as simulate what defence strategies may well have worked and how the attack could have been thwarted – preventing the chances of the same attack being successful a second time.

The real benefit though, isn’t necessarily the improved security or even better incident response that analytics and machine learning allows for. It’s that it doesn’t require a new security architecture. Or at least it shouldn’t. Advanced machine learning solutions are able to unify what you already have in place, on the ground.

Where you’ve got an entire security infrastructure to manage, a managed security system using the latest technology can come in and take on the bulk of the monitoring and analysis, allowing security professionals to proactively manage the infrastructure and free up their time focus on other security projects – if you’re always fighting fires, you’ll never have time to build a fire station.

Ray Watson, Vice President of Global Technology at Masergy Communications

analyticsRay Watson oversees Masergy’s unique technologies and solutions for the global enterprise, with specific emphasis on software defined networking and network function virtualisation. He leads the continuing effort to educate media outlets and industry groups so that they are aware of Masergy’s intellectual property and innovation in areas such as advanced persistent threat response, global multicast, and dynamic bandwidth on demand.