Security Meets Big Data: RSA's New Security Analytics System

RSA is unveiling a retrofitted appliance that its executives say is the first stage in changing the nature of IT defense, merging security technologies with big data analytics to improve attack detection and analysis capabilities.

RSA is merging some of the features in its enVision security information event management (SIEM) platform into its NetWitness network appliance and adding big data analytics capabilities from the Hadoop software framework. Called RSA Security Analytics, the company is using EMC's Greenplum analytics management capabilities, building out a data warehouse for long-term analytical processing.

"The security models that we have been using are no longer effective, and if we're ever going to be in a position to combat the forces against us we have to have different approach to security," said RSA President Art Coviello at a media event unveiling the new system. "For the first time, we have the computing power, storage and bandwidth to leverage these big data analytics capabilities."

[Related: Gartner: Hadoop Will Find Home In Most Analytics Products By 2015 ]

Sponsored post

The RSA Security Analytics system contains the full reporting and alerting, event processing and network forensics investigative tools in NetWitness along with full content indexing engines to provide free text search as a feature for data mining, metadata tagging and long-term intensive analysis. It uses the enVision SIEM log parsing functionality and device XMLs to capture data from a variety of deployed systems. The NetWitness analytics engine also is combined with the Archer GRC platform and the RSA Data Loss Prevention suite for context, compliance reporting and policy management.

Security industry observers are anticipating a number of big data analytics announcements this year that rely on the Hadoop framework to boost performance of network monitoring systems and faster detection of attacks. IBM and Hewlett-Packard engineers are said to be working on similar integration of the framework for information security. Combined with behavioral analysis and long-term data storage, the goal is to eventually be able to predict potential attacks and quickly identify and eliminate weak points in the corporate network.

Hadoop adds value by enabling enterprises to ingest a large amount and a greater variety of data without being constrained by data formats, said Scott Crawford, research director at Enterprise Management Associates. Crawford said the system that RSA has pieced together gives security threat analysts more flexibility in what they are looking for at the time they are looking for it.

"Combining a couple of different approaches to analytics and back-ending them with a common approach to data really highlights the value of technologies like Hadoop for this purpose," Crawford said. "This is valuable to security in a sense that if you are looking for needles in very large haystacks, it improves your performance."

NEXT: Channel Opportunities In Big Data

In addition, RSA has designed a new graphical interface that displays suspicious events to a threat analyst for further investigation, and the processing engine learns over time how to prioritize them. The system will identify combinations of vulnerability information and other data to identify high-profile events an analyst needs to look at, said Amit Yoran, senior vice president and general manager of the security management and compliance business unit at RSA. RSA engineers spent almost two years building out the architecture, Yoran said, adding that the Hadoop platform was used because it is optimized for capturing data and building tables for efficient processing.

"We can stream millions of events per second through its clustering event processing engine and it can keep up with thousands of rules running," Yoran said. "It allows us to have an elegant set of rules to start out of the box."

RSA executives said the system will likely start at about $75,000 and increase depending on the capabilities and size of the deployment. The Bedford, Mass., company will offer large-scale deployments for the defense sector, government and the financial industry but the analytics capabilities also can be scaled down for smaller businesses, providing basic log-only and packet-capturing-only capabilities for short-term analytics. Data warehousing can be added as the business grows.

Channel partners, particularly if they have a systems integration arm, may be able to take advantage of the security data analytics approach, according to Enterprise Management Associate's Crawford. Systems integrators should take a close look at the form factor that they plan to deploy these products in when it comes to warehousing. "These warehousing architectures may not be as daunting as channel people might assume," Crawford said. "If they see the form factor and deployment opportunity and it fits with their strategy, it would be worth their while to dig a little bit more into these technologies."

RSA will still continue to sell its point products, said Bill Taylor, senior director, Global Channels and Alliances at RSA. But partners need to pay attention to the big data trend because it will play a lot more into security products in the future, opening up new opportunities for the channel, Taylor said.

"I think EMC is correct on its big data strategy and we're just following suit with our product sets," said Taylor.