One of the final scenes of Harry Potter is the defence of Hogwarts and Harry’s life. The wizards have cast their protection spells to put a barrier around the area, however the evil followers of “He who shall not be named” find a portal and breach the protective barrier! However Harry and the people inside have been preparing for such an eventuality and in the end… well you can imagine who wins.
This week EMC RSA released ‘Security Analytics’ a major step forward in the industry expanding from edge protection to intelligence based security, think of it as the preparation for when you are breached. (As discussed in the last blog post… sorry with another movie analogy.)
The technologies involved are a combination of SIEM and Network Protection to provide the rich, granular data, which then is put into an analytics data warehouse and the intelligence built on top of this! Using this approach you have the ability to continuously improve your pattern recognition analytics, (breach detection) as well as I’m sure the community will add to this knowledge base. Secondly when you detect a possible breach you have all the data at your fingertips to perform the ‘forensics’ to find out what is going on, and shut it down.
To add to this, the system also accepts external feeds from security agencies, so you are not alone… For example RSA, provides a service to financial institutions to help them detect and shut down phishing expeditions extremely quickly. (Reports indicate that they are able to do this within hours compared to weeks.)
Yesterday during a presentation I mentioned this release and was asked, “What metrics do you have?” Which is an interesting question as we are so used to comparing the old way with the new. The problem I had in answering this question is that every attack is new! So the goal is to reduce the time to detection and the time to ‘shut down’. Some of the release materials talk about ‘typical’ breaches having taken weeks to detect, where we have been able to show, (with beta customers), this can be reduced to hours… But is that meaningful when the next attack has a completely different vector?
Anyway I’m guessing this is just the start of “Intelligence Based Security” and has resulted in the good guys leapfrogging the bad, which you must agree is goodness. Well I’ll get off my movie and security bandwagon for a little bit now…