In the setup to this article, we discussed how Big Data Security Analytics (BDSA) is an evolution beyond the limitations of classic Security Information & Event Management (SIEM) solutions. Namely, that Big Data approaches are differentiated by their ability to provide analytics from unstructured data sources and huge, disparate data sets (IBM and others refer to this as the 4Vs: Volume, Velocity, Variety, & Veracity).
Big Data solutions have other traits that enhance their effectiveness, better unlocking insights than legacy solutions. For example, many solutions are capable of certain types of machine learning – suggesting or executing a particular course of action based on historical actions, rather than as a result of formally coded rules. As another example, Big Data solutions will often consume not just event-based sources, but also intelligence feeds or contextual reference data (e.g., threats, vulnerabilities, asset inventories) for better overall insights.
What this all means is that classifying a solution as Big Data Security Analytics is guided by principles rather than a distinct definition, and hence, is somewhat subjective. In fact, many respected analysts, such as Anton Chuvakin at Gartner, don't believe "there is such a market at this time" (note: Gartner does believe that BDSA is relevant as a concept).
Many enterprises that we interact with are indeed trying Big Data Security Analytics in some form or fashion (to say nothing of the preponderance of start-up marketing materials). As Larry Lunetta of PetaSecure reminds us about SIEM, "it took Gartner 2 years to publish a [Magic Quadrant], and the Leader's quadrant for the inaugural version was empty." This is to say nothing ill about our friends at Gartner; we'd argue it's just early in the game. Other analysts such as Jon Oltsik of the Enterprise Strategy Group believe that "there is no longer any debate – security analytics has become a big data application." We concur.
With that in mind, we'd like to propose an initial Big Data Security Analytics landscape; that is, the intersection of "Big Data Analytics" with "Security Analytics". We fully expect it'll have gaps, approximations, and maybe more egregious errors. But let's start somewhere. Our central organizing theme is that BDSA solutions are either real-time or historical, depending upon the data on which they operate:
- Real-time solutions ("Real-time Analytics") live on the network and often perform automated remediation to prevent ongoing attacks.
- Historical solutions ("Historical Analytics") rely more on batch data and provide rich investigative capabilities for security analysts.
Within the Real-time Analytics space, the clearest delineator is whether the solutions perform deep packet inspection or not. There are trade-offs for each approach. Within the Historical Analytics space, solutions are typically provided either as all-in-one, self-contained implementations or are meant to be deployed on top of existing Big Data repositories. Hence, our sub-categories.
For the purposes of this landscape, we assume the following are out-of-scope:
Classic SIEM and scalable "SIEM 2.0" solutions. The latter refers to SIEM enhancements that provide for Volume and Velocity but still require structured datasets and/or do not incorporate non-log based sources.
Solutions that only provide a general platform for Analytics, rather than anything security-specific.
Solutions that only enable inbound data collection or ingestion, but do not perform analytics. Similarly, solutions that only provide workflow, case management, or outbound response.
Public companies (and Palantir), since we're focused on startups.
Big Data Security Analytics is an emerging market and we're certainly excited to see how it evolves. In the short-term, we're interested to know which companies we missed. We'll also be monitoring how well these companies gain traction with enterprise customers. Longer-term, it will be interesting to see which approaches prove most effective at detecting and preventing attackers. Please share your thoughts in the comments!comments powered by Disqus