Information security: It takes an ecosystem
The top 10 data breaches of 2015 included government agencies, healthcare organizations, retailers and security software vendors, according to information available through the Privacy Rights Clearinghouse, a non-profit corporation focused on privacy issues. The well-known breach at the federal Office of Personnel Management (OPM) affected more than 20 million individuals, revealing detailed personal data used in background checks. Even credit service provider Experian was not immune, with applicant information for one of its services hacked, potentially revealing personally identifiable information (PII) such as social security numbers and birth dates.
According to a global study of 350 organizations by the Ponemon Institute, a research center that conducts studies on privacy, data protection and information security policy, the average cost of a breach is $3.79 million. However, that number does not include the increasing expenditures on overall detection and prevention. For example, J.P. Morgan projected that it would invest $250 million and have a staff of 1,000 to address information security. In 2014, Target reported spending $148 million on its breach. The Ponemon study cited possible complacency in the past on the part of senior level executives and board members, but noted that this attitude is changing in light of the adverse impacts of such breaches.
No one solution can solve the problem. The challenges of improving information security demand innovative solutions and a full ecosystem of tools. One new approach is to use the emerging technology of big data analytics to stay ahead of the power curve. “There is a cybersecurity arms race going on, with companies trying to keep up with the threats,” says Dave Hirko, co-founder of B23, a professional services company focused on big data. “But the bad actors are small and hard to target, and it’s impossible to identify and respond to threats based on known signatures.”
B23 was founded to apply big data analytics to real-world problems, including cybersecurity, marketing and interpreting data from the Internet of Things (IoT). The company developed an open source technology called Apache Metron, which is based on a project that originated with Cisco. The project was subsequently accepted into the Apache incubator program, a major step that helped establish the technology as credible and promote adoption.
Ecosystem of tools
“We think our technology is the only one in which a cybersecurity solution is embracing big data components such as Hadoop and Apache Spark,” Hirko says. “There are a few emerging proprietary big data cybersecurity projects, but they take more of a black box approach, and we wanted our customers to be able to understand the analyses by making them open source.”
The role of Apache Metron in cybersecurity is primarily one of detection. “We analyze network packets, which is a traditional big data problem,” Hirko explains, “and apply machine learning technology to identify advanced persistent threats. This is a disruptive way to identify cyberthreats rather than by using a signature-based approach.”
The company prefers to collect longitudinal data over a period of 12 to 18 months with a “collect everything” strategy that provides the raw data for the analytics. Data scientists within the firm help define the scope of the analysis and interpret the results.
No one technique solves every information security issue, Hirko points out. “Companies should have an ecosystem of tools, ranging from traditional firewalls to security information and event management applications,” he says. “Big data tools fill the role of enabling companies to collect, store, process and analyze large amounts of network packet data, which was not possible until a few years ago. Apache Metron is the first open source solution to apply big data technologies such as machine learning to the cyber security challenge.”
Responding to a breach
It is widely acknowledged that data breaches are inevitable because of the number and variety of threats, the persistence of would-be intruders and the likelihood of inadvertent breaches due to human or process error. Therefore, companies should have a plan for incident response, remediation, recovery and restoration. Each industry has a set of requirements that defines compliance. The process would in general include a discovery phase in which the data was collected that documented the incident, a risk assessment comparing the event to the applicable regulations, notification of the affected individuals, providing added protection such as credit monitoring for those affected and taking steps to prevent future similar intrusions.
RADAR from ID Experts is an incident response platform that helps businesses comply with protection of personally identifiable information and protected health information (PHI). “If an incident involving PII or PHI does occur, RADAR helps organizations ensure that they are compliant with breach laws and obligations, and that they meet the burden of proof for the response,” says Mahmood Sher-Jan, executive VP and general manager of the RADAR business unit at ID Experts.