CISOs say SIEM not a good choice for big data security analytics

CISOs say SIEM not a good choice for big data security analytics: Big data security analytics is increasingly a necessity for organizations struggling to spot previously unknown attacks, but according to a trio of CISOs, enterprise IT teams shouldn’t plan on using traditional security products such as SIEM for handling large quantities of data.

Speaking with a panel of CISOs at the 2014 RSA Conference, moderator Neil MacDonald, vice president at Stamford, Conn.-based Gartner Inc., said the term big data may be overhyped in the security community, but it is playing an ever more important role in fending off advanced persistent threats. Traditional, signature-based antivirus products are only good for blocking known attacks, according to MacDonald, but such capabilities are pointless, for example, when hackers utilize malware crafted specifically for a certain organization.

Enterprise security professionals are coming around to the idea that breach prevention is basically impossible, MacDonald noted.

“You must assume the systems will be breached. Once breached, how do you know you’ve been compromised?” MacDonald asked. “You have to baseline and understand what ‘goodness’ looks like and look for deviations from goodness. McAfee and Symantec can’t tell you what normal looks like in your own systems. Only monitoring anomalies can do that.”

MacDonald said that such monitoring could be focused on a variety of network and end-user activities, including network flow data, file activity and even going all the way down to the packets. Of course, such monitoring can create the sort of large quantities of data that traditional security systems struggle to handle.

Panel member Golan Ben-Oni, CISO for Newark, N.J.-based IDT Corp., said his organization realized several years ago that the ability to collect and correlate data from the network and endpoints was vital. As a result, the company has introduced many new technologies and tools, though Ben-Oni said that determining which products are “best of breed” has been a constant challenge.