Maksim Kabakou - Fotolia

Security Think Tank: Merging big data and security is the way to go

How can log management be used to bolster information security and improve incident response without infringing user privacy?

In his 1970 book Future Shock, Alvin Toffler coined the term “information overload” as “the state in which one has to deal with so much information that it is impossible to make a decision”. Also known as “infobesity” or “infoxication”, the industry has of late solved many of these issues with disciplines such as big data, log management and intelligence.

These areas represent quantum leaps on how to collect, correlate, alert and report about almost anything. User behaviour, attack patterns, fraud situations, browsing habits – almost everything can be mapped with a log or an event and can be correlated with other information to guide and inform the next action of a user – or even an attacker.

There is a growing trend in the industry towards merging big data and security, and I truly think that this is the way to go, since it will provide further insights into what is happening, on any platform, at any given time. Increasingly, we are finding that we need these answers for managerial, auditor and regulatory perspectives.

A log management and intelligence program would benefit the areas of incident response moving from reactive to proactive, from intrusive to non-intrusive, from siloed to holistic. I believe in creating a forensic-readiness platform that would leave no system behind, while ensuring that protection and defence is enabled across the whole landscape.

I have experienced projects where certain regulations and legislation have been mapped to the volume of data (or correlated data), to find non-compliance situations, and I have been fortunate enough to work in forward-thinking projects where attacks have been prevented through predictive analysis.

I am also seeing massive deployments of cyber security operations centres (SOCs) that actually work with the approach of being first to the issue – sometimes even before it happens. Since today technology is not the problem, but rather the attitude towards it, the willingness to protect and defend is absolutely paramount.

Read more from the Computer Weekly Security Think Tank about security and log management

It is equally important to learn the lesson when a breach occurs. And to do this we need the information that security events and logs provide. Some security processes can be enhanced thanks to the visibility that logs provide, and we should not forget that many regulations demand log management, such as PCI DSS, HIPAA and most of the data privacy acts.

Some companies have to deal with more than 60 billion events each day, filtering them down to three billion relevant ones then distilling this figure further to the thousands that actually need investigation and/or warrant action. The beauty of technology is that most of the actions can be automated.

In the world of log management and intelligence, controls can be detective, preventive and also a deterrent. But I love it most when technology allows controls to be corrective and self-healing as well, allowing systems to cure themselves and maintain robust and solid levels of security.

For some companies, dealing effectively with too much information might be a problem, but long gone are the days when information overload was the most pressing issue.

Ramsés Gallego is international vice-president of ISACA and security strategist and evangelist for Dell Software.

Read more on Hackers and cybercrime prevention