Security at Scale: Making Security Analytics Work for the Internet of Things

May 27, 2016 | by Zulfikar Ramzan

This year more than 10 billion devices will connect to networks around the world. And in the next few years, that number will increase by over an order of magnitude. With the veritable explosion of smart devices, many of which connect not just to the network, but to each other, significant security concerns arise.

Despite the rapidly evolving technology landscape that envelops us, the fundamentals of information security remain static. Concepts like visibility, identity, and risk continue to be mainstays. However, scaling these concepts out to the Internet of Things (IoT) requires thought.

Organizations already find themselves dealing with security "alert fatigue". As IoT devices proliferate, that fatigue will become alert paralysis. To address these concerns we must accompany visibility with analytics. Through analytics we can glean meaningful insights from data and extract the most relevant signal from an ocean of noise.

RSA has already taken five key steps to help our customers in this regard:

  • Pre-processing: Merely collecting data and dumping it into storage doesn't give us a data lake, but a data landfill. It's critical to process information as it arrives by extracting relevant metadata and organizing it into logical chunks for future examination (e.g., taking the contents of several network packets and extracting the actual file being transmitted).
  • Grouping: Treating each alert separately, as many organizations end up doing, is like focusing on the veins of individual leaves rather than understanding the overall forest. A single attack campaign can generate many individual alerts. Automatically coalescing alerts leads to more expeditious investigations.
  • Pivoting: Generating a single alert by itself is like yelling fire in a crowded theater. Organizations must be able to investigate those alerts by seamlessly traversing various swim lanes of visibility. For example, if we see malicious network traffic, can we quickly pivot into a view of the device generating that traffic? Can we immediately identify characteristics of the processes running on that device? Can we then find other devices on the network sharing similar characteristics? Individual alerts are merely symptoms. We must rapidly find the root cause.
  • Prioritizing: Not all alerts are equal. An alert on a device that just contains a PDF of the lunch menu shouldn't be treated like an alert on a device containing nuclear launch codes. The security team's goal isn't to process alerts, but to mitigate risk. Doing so requires understanding business context.
  • Surfacing: Analytics have to be intelligent. Can we automatically surface relevant information so analysts have a meaningful starting point? Machine learning techniques can identify aberrant behavior as well as more general attacks. With appropriate data and context, we can fine-tune the results to avoid red herrings.

Security analytics isn't just a fancy marketing term. It's a highly nuanced discipline that takes effort to get right. As IoT devices become ubiquitous and connect us to incredibly valuable data, we simply cannot afford to get it wrong.

Author: Zulfikar Ramzan

Category: RSA Fundamentals, Blog Post

Keywords: Alarm Fatigue, Alert Fatigue, Internet of Things, IoT, Security Analytics