Businesses are generating terabytes of security-related data every day, placing a huge analysis and reporting burden on hard-pressed information security teams. Many security information and event management (SIEM) technologies have been overwhelmed by the sheer volume, causing IT security chiefs to turn to big data tools to analyse their networks and better understand the threats they face.
In this CW 500 Security Club video, Stephen Gailey, product evangelist at Splunk and former group head of security services for Barclays, talks to Computer Weekly security editor Warwick Ashford about how big data, analytics and information security come together.
Watch the video above, and read the full transcript here:
Computer Weekly: Hello, and welcome to this Computer Weekly video. We're here at the Computer Weekly security event and we're discussing big data and why that's an issue for information security professionals.
I'm joined here by one of our speakers, Stephen Gailey, former group head of security services at Barclays, and now product evangelist at Splunk. So tell us Stephen, why is information security a big data problem?
Stephen Gailey: If you look back at the start of this industry, initially in our toolbag, all we had was some fairly rudimentary firewalls and antivirus. In those days, all problems, therefore, looked like a firewall or a virus problem.
As the industry has grown, we have more and more tools in our kit bag. We have security contexts coming from platforms, applications, and middle-ware.
The amount of data that is coming to the security professional is now so large that they're faced with two options: They either take a big data approach, which allows them to process, analyse, and query everything; or they're forced to filter that data and lose some of that security information.
Computer Weekly: [So you’ve worked with] big data in the past. What did you learn in terms of strategy? What worked well?
Stephen Gailey: Our big challenge was getting data in the first place.
We had to go out to lots and lots of other teams. We had to go to the firewalls team, the networks, the Windows and Unix teams, and web teams. Initially, they were very resistant. Not because they didn't want us to have the data, but because they had other priorities.
We quickly learned that we could actually give back services to those teams – if we gave them a view into their own data, gave them some value back, they were far more willing to co-operate.
We moved from a situation where we had resistance to give us data, to the point where [they were] queuing up, saying, 'Please take our data. Please give us access to it'.
Computer Weekly: In terms of broad-stroke advice, what would you pass on to your peers?
Stephen Gailey: If I had one piece of advice, it would be to remember a lot of this data doesn't originate as security data, it comes from many other sources.
Different teams own those sources, so go and make friends with those teams because you have value to give to those guys.
You may only be interested in the security context of that data, but that data has value for all sorts of different teams. Quite often that value goes right up to [corporate] as well.
Computer Weekly: Stephen Gailey, of Splunk, thank you so much for sharing your experience with us.