When it comes to protecting an enterprise network or a government network there’s a great deal of discussion about what solutions exist to batten down the hatches and dog the doors against intruders; but often the same technologies we use to detect intruders (and insiders) can be used to predict failures. Amid the solutions the market has there’s Splunk who offer a number of extremely powerful products that provide both in-house security and security-as-a-service atop of numerous layers by looking at the data produced by a multitude of products.
A series of events have brought public attention to the necessity of cybersecurity efforts at not just the enterprise level, but the national level. Such as the water pump failure in Illinois that sparked fears of cyberterrorism but turned out to be an overreaction to a contractor logging in from Russia. Any comprehensive cybersecurity solution should be able to not just detect potential saboteurs (and sabotage) but also enable security experts to quickly sort out the different between a real threat and a false alarm.
In fact, it looks like the FBI did use Splunk to help analyze the logs to determine what happened. So Splunk is definitely in their incident response toolkit.
Recently, I had a chance to speak with Mark Seward, Director of Security and Compliance Solutions at Splunk, who described the Big Data approach that Splunk takes to system and network security. Today, it is possible to be overwhelmed with possible signals and data from across an entire sphere of security not just network security, but also physical security. By tying together the outputs of numerous systems from login monitors, firewalls, door access indicators, and ID badges, it’s possible to end up buried under a mountain of information, most of which may be totally irrelevant but it’s difficult to tell.
Seward mentioned that around 2000 there was a huge move to unify security systems for remote access and that many workers nowadays are connecting to systems across the Internet. One solution that Splunk can offer is behavior analysis and the more data fed to it, and the better thought-through the queries watching the systems, it could have easily shaken out the contractor connecting from Russia. After all, give the system the credentials of the contractors, and feed in their travel schedules, and suddenly a connection via Russia from a contractor who is scheduled to be in Russia isn’t scary.
Splunk allows you to take the search language and use it to monitor real-time data streams as well as mine logs and big data for patterns. So it’s possible to alert in real time (if you’ve gathered enough context.)
Big Data cybersecurity can also contend with potential emergency
Since national infrastructure is on our minds, it’s possible to use Splunk to monitor numerous data points being produced by a large system to detect and predict potentially failing parts or problem spots. In the example of the water pump from Illinois, which was faulty, there might have been a build-up of other anomalies that led to the failure that could have been detected.
Using Big Data algorithms and a powerful query language the system can monitor signals from all the devices, meters, gauges, pressure sensors and watches for statistical outliers in pressure in order to flag potential faults. It can be rendered on a Google map and indicate where faults are coming from or outliers are located—such as valve failure would appear as a red dot on a map in order to direct repair crews.
A link to an inventory of all the valves enabling repair crews to know what equipment they need to maintain the issue.
Enabling thinking like the enemy and “profiling” potential sabotage or attack cases
Big Data systems provide an excellent real-time analysis tool that needs not just the capability to draw and store all that information but to watch it change in situ as the event is occurring—this is the essence of how we can use Big Data to enhance cybersecurity as a whole. Products like Splunk don’t just provide the capability for deep real-time analysis; but they also deliver powerful languages that put the ability to query ongoing changing and data in the hands of technicians who may need those alerts to be prepared for both the expected and unexpected.
Looking at what can be learned from the lesson of the Kobayashi Maru, cybersecurity experts with a great deal of data and context at their fingertips can essentially “profile” the behaviors of potential attackers and faults in their system and write queries to detect the lead-up to them. As a result, an attacker attempting to exploit a known-flaw in a system, or an insider out of place, will show up in the Big Data analysis as an outlier giving cybersecurity agents some lead time to check to see if it’s a false alarm or if the anomaly requires further investigation.
Seweard highlighted a number of situations where a team using Splunk could protect an important piece of infrastructure by watching the less-important but equally vulnerable infrastructure connected to it. For example, nuclear facilities are extremely important and obvious targets—but they’re also heavily monitored and extremely well defended—but they must be fed and cooled. As a result, we have to be also concerned about the supply chain for that architecture. It’s just as important to look at the nuclear facility, but also the water pumping station that provides the coolant for that facility itself.
At each tier, a Big Data solution provides a better birds-eye-view of the architecture and the critical infrastructure while giving technicians the chance to know something’s about to go wrong before it happens. With its Big Data capabilities and powerful query language that can reach deep into a lot of context, it looks like they’ve set themselves on that narrow perch of being an excellent solution for the current tsunami of information even a simple system can produce.