Building a Higher Order of Security Intelligence 3: The Role of Situational Awareness

Francis deSouza now talks about issues associated with big intelligence and how those affect situational awareness that’s critical to enterprise cybersecrity.

So, how do we deal with all those trends? Well, in this conference you’re going to hear a lot about big data and about security analytics, so I’m going to push it a little bit and say: you know why I love big data? I love big data because it gives us big intelligence – that’s why I love big data; otherwise it’s, frankly, just a storage cost, right?

So let me talk about what I mean. And really, there are three aspects of big intelligence that we are incredibly excited about.

The world’s cyber threat landscape

The world’s cyber threat landscape

The first aspect of big intelligence is really around expanding how situationally aware we are, really understanding what’s going on in the threat landscape.

At Symantec we’ve built what’s arguably the world’s largest big data backend for security analytics. We have sensors in over 200 countries and territories. We deal with 1.5-3 billion security events every day, and our big data analytic backend leverages 1.7 trillion pieces of information to deliver verdicts on 3.6 billion files and 100 million URLs. And we do that every 6 hours.

That’s allowed us to have an unprecedented view into what’s happening from a threat landscape perspective and deliver a quick verdict around whether a file is good or bad.

But for us that’s just been the beginning, because what we’re now doing is actually pushing on what we’re looking for. And we think the future is not about file focus, it’s not about “Is this piece of malware good or bad?” The bigger questions are going to be: who’s after you? What campaign are they running? And what are they after?

And so, what we’re now doing is getting a lot more information about attacks as they are run. We’re looking for attribution. Who’s driving this attack and how much fidelity do we have around who it is? Can we track it to individuals? Can we track it to an organization, a country? What are they after? What are the fingerprints of their attack, their specific tools that they like to use? Is there a specific campaign that they like to run? Like the people that I talked about that like to hit banks at 5 o’clock on a Friday.

And we start to build up an identity around the campaign and the attackers. And then we mine our data to say: “What are we seeing out there?” And based on this campaign, this attacker, this set of targets, let’s predict who the next set of targets are.

First thing big intelligence gives you is massive amount of situational awareness.

And so we’re able to reach out to companies and say: “We’re expecting that this type of campaign from this type of attacker will be run against you, and here is what you need to do against it.” That’s very powerful, when situational awareness moves from what file’s bad – to who’s attacking me, what are they trying to do, how are they trying to do it, and what are they targeting.

The next thing we love about big intelligence is not just knowing the outside, but knowing more about your own assets. And that’s the ability to look across your environment, both your estate that’s in your data centre, but also in your cloud that’s on your PCs but also on mobile devices, and get a good understanding on where your most important information assets are.

Because it turns out in security knowing whether this is a piece of spam or somebody’s MRI – well, that’s an important thing. We’re already pushing the envelope around using technologies, around fingerprinting, vector machine learning and big data analytics to get better and better handle on the amounts of information that companies have, because CSOs know the truth is it’s only less than 5% of all the data in your company that really matters, but that really matters and you really need to know where it is.

So, first thing big intelligence gives you – massive amount of situational awareness in a way that we’ve never done before as a security industry. Second – really understand your own assets. And then third – understand who you are. And what do I mean by that?



Well, what we’re really excited about is baselining what is normal for an enterprise, what is normal for an organization. How does your enterprise behave normally? How do your employees behave normally? Because the reality is in a lot of ways normal is the new intelligence, because if you know how you behave normally, then you can tell when you’re behaving abnormally. And that is a very powerful tool in understanding whether you’re under attack or not.

So, as we think about the future of big intelligence, we’re excited about its capabilities around situational awareness, understanding your assets and understating who you are.

No single point product will protect you

No single point product will protect you

Now, as we think about security as a whole, then big intelligence is a core part of it. All of us know, though, that as we look to the future of security, it’s not about a point product. There is no single point product that will protect you against advanced persistent threats.

And yet the reality is, if you walk down the booths at RSA, there are a lot of point products out there. You talk to companies, and they’ll tell you they’re kind of frustrated.

I was talking to the Chief Information Risk Officer at one of the largest banks in the world. They are an incredibly smart team; they spend about 300 million dollars a year on security. And he runs products, he said, from over 65 vendors. About a third of his budget is spent on the team’s operating, maintaining, integrating, patching those security products.

And he’s not happy; he’s not just unhappy because he spends so much money on integration that frankly he thinks we should do. But he’s also looking to the future saying: “Look, I can’t just keep adding products, and I can’t hire the people I need to maintain those products.” He doesn’t see that current path and course taking him to where he needs to go.

Read previous: Building a Higher Order of Security Intelligence 2: Cybercrime Trends

Read next: Building a Higher Order of Security Intelligence 4: Moving Forward

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: