In the past two weeks, the need for big data security analytics on the federal level has been acutely felt. At the end of last year, the Office of Personnel Management (OPM) was breached by hackers. The threat lay undetected for almost six months, until it was discovered, reportedly by accident, as the OPM worked actively to improve its security infrastructure. While the OPM does maintain its own security infrastructure, it also relies on the Department of Homeland Security’s National Cyber Protection system (NCPS), established in 2008 at the behest of Congress and the Executive branch. The NCPS was created to “protect the federal civilian Executive Branch government network and prevent known or suspected cyber threats,” according to the DHS.
How Does the NCPS Protect Networks?
The brunt of the DHS’ protective power resides in the EINSTEIN program, developed to detect specific machine readable patterns of network traffic that threaten the integrity of government data and system control. The program itself breaks into three pieces, two of which (EINSTEIN-1 and EINSTEIN-2) are currently implemented and a third (EINSTEIN-3 Accelerated) which has begun preliminary rollout at several government agencies. According to the DHS, EINSTEIN 1 analyzes network flow records and EINSTEIN 2 detects and alerts to cyber threats using custom signatures, based upon known or suspected cyber threats within federal network traffic. E3-A combines existing analysis of EINSTEIN 1 and EINSTEIN 2 data, as well as information provided by cyber mission partners, with existing commercial intrusion prevention security services. This allows for the near real-time deep packet inspection of federal network traffic to identify and react to threats.
What Went Wrong?
Unfortunately, recent events have shown that the kind of Intrusion Detection Systems (IDS) that originally comprised E-1 and E-2 were not enough to defend against the advanced threats facing public and private organizations today. In response, the DHS has already begun to revamp cybersecurity defenses to incorporate the powerful potential of big data security analytics.
Security experts widely acknowledge that big data solutions for log management and security analytics will increasingly become the norm. Traditional solutions force analysts to spend weeks compiling data before they are even able to perform a forensic investigation. To the credit of these forensic investigators, their job is not easy. On the scale of the OPM’s network, for example, billions of connections and transfers happen everyday and manually finding outliers is less like looking for a needle in a haystack, and more like looking for a grain of sugar on a beach. A big data security solution, such as Sqrrl’s own analytical platform, allows for the ingest of petabytes of data, removing the necessity of deleting backlogs without compromising speed. As the data grows, Sqrrl’s big data solution offers affordable scalability and provides secure, cell-level access controls.
How linked data provides the baseline for powerful analytics from a myriad of sources.
A greater volume of data enables more powerful detection and response to threats hidden inside an organization’s network. This is made possible through the use of linked data analysis, an approach where relationships between data entities are used to contextualize any given network event. In the past, the storage and access requirements to make this possible were unavailable, but advances in big data, such as the Apache Hadoop and Accumulo projects, have made data storage infinitely scalable and access instantaneous.
Public and private organizations alike would do well to heed the example of the leading security organizations, whose response to a critical attack has been to adopt the big data security approach necessary to monitor organizations of their scale. Don’t wait for your organization to be the next headline. Learn about how to make big data security analytics protect your organization.