HP’s Predictive Security Announcement at RSA – The Big Data Formula that Introduces Sentiment Analysis Using Hadoop, Autonomy, and ArcSight


Once upon a time the limits of security were based on a reactive approach, relying heavily on signature-based methodologies, the industry would react to the latest and greatest threats out there to secure and protect the business.  It suited the times, but as the security realm became more business standardized, the approach of proactive security entered the picture, bringing forth centralization, reporting, forensics, vulnerability management and other measures designed to prevent attacks.  Today’s threats are rapid, persistent, and adaptive.  HP has announced a platform at this week’s RSA conference that changing the game altogether with Predictive Security. What this means to the security business is monumental – the technology makes it possible to find problems and make them actionable, meaning it takes a leap beyond just analyzing collectable security data. Predictive Security is designed to recognize threats before they become actual threats days or weeks in advance, by predicting sentiment.

The threats are real and show up daily with breaches on the rise like never before. 2012 was a massive year of widespread attacks on major corporations; the threats are multiplying and almost becoming viral. Customers are looking for simple answers to take on these security challenges, they are also looking for things that are powerful and complex to help them out. Looking back at a 2011 Gartner report stated that only 3% of organizations were using big data for security intelligence, but projected to be 40% in 2015. The amount of data being generated on a daily basis in the digital universe approaches 1 exabyte of information, or in human context 250 million DVDs generated each and every day. That tsunami of information is expected to double every two years, and the rate at which that information is indexed for analytics, much less security intelligence is less than 1%. The capacity and systems to process this to date have not been there.

So HP has leveraged their security experience, with more than 10,000 customers, leading in nearly all the marketplaces they work in, including extensive work with all the branches of the Department of Defense, nine out of the top ten banks in the business, ten out of the top ten telco’s in the industry and more – in order to deliver what can only be said is the only security solution of its kind. With that, the solution answers those very conundrums that the enterprise is looking at – dealing with Big Data in the security world – Velocity, Volume, and Variety of data – in real time and gaining an enhanced predictive security posture because of it. It’s a marvelous beast.

Context – it’s what makes security intelligence actionable. By leveraging context in the data that HP security systems collect through Big Data, a whole new level of understanding can be implemented to not only detect threats, but prevent them. This sentiment analysis is borne of the unison between security event platforms, based on HP’s ArcSight SIEM platform, and the Autonomy IDOL content analytics engine in real time.
Raw security data is actively tracked and analyzed for patterns in behavior that are associated with human sentiments. Previously, many threats have typically gone unnoticed, but with active sentiment analysis in place, the enterprise can be on the lookout for threats that emerge from this realm.

“Many organizations have not been able to access the critical information they need to combat potential threats,” said Art Gilliland, senior vice president and general manager, Enterprise Security Products, HP. “With the integration of cloud monitoring, content analytics and Big Data processing, HP provides clients with the context needed to effectively stop potential breaches.”

In a briefing with Varun Kohli, Director of Product Marketing for HP, he talked about the emerging possibilities and a couple of fascinating use cases. In one scenario we have a disgruntled employee, one that can be typically hard to discover. Once that employee goes somewhat public with grievances or even just negative sentiment, the system is able to create an event, something to watch, and possibly act on some rules that the user creates. You could tune this to isolate and track information that is competitive, research, data downloaded to USB, basically any vector of data leakage within your grasp. Another scenario involves the open publication of negative sentiment by potential threat groups. If you were a public agency that created policies that this group was against, you could find that this group has for example sent some tweets against the stance of your policies. This would create an alert. A later tweet that was related or directly from the same group may state that a particular named server belonging to your company has some vulnerability. The actionable intelligence there would be to isolate, quarantine and remediate the issues with that server or cut off access immediately until the threat can be fully assessed.

At the heart of the solution is an integration utility that integrates the abilities of Hadoop technology in handling massive amounts of collected information in a centralized repository, combined with ArcSight’s information capabilities. The capacity of real-time security data analytics along with sentiment analysis from Autonomy makes for a compelling and incredibly capable platform that has incredible business value. Understanding the interaction of user and data, both internal and external is a next-gen leap in security evolution and this announcement makes that possible.

If you’re already built in with an existing Big Data investment, ArcSight’s integration with Hadoop answers the call. For those that don’t have Hadoop in their environments, the product ships with CORR – Correlation Optimized Retention and Retrieval engine – a security-focused optimized database that is exceedingly fast, boasting improvement factors of 500% and more when compared to RDBMS.  Kohli calls it:

“Batch processing for faster processing”

Another key announcement is the ongoing effort to create a standard log format using ArcSight. ArcSight takes cryptic logging information and packages these into their proprietary format in the form of a framework, thereby extending the abilities of not just collecting data from on-premise implementations, but extending into such areas such as SaaS applications. HP has reference implementations for Google, Box, and Salesforce for example. If an organization has SaaS being utilized and they are looking for better visibility, these implementations make that visibility possible, giving insight into just about everything related to an organization.

The Autonomy piece is compelling on its own, but in this application its practicality shines. With the ability to recognize over 400 data types/sources and collection and analysis capabilities in some 150 different languages, detecting that negative sentiment is paramount to a successful predictive security effort.