Predictive security, meet Big Data analytics
- Summary:
- Cloudmark’s core security policy engine approach can predict spam, DDoS and DNS attacks using analytics on vast gobs of service provider log and feedback data.
A couple of years ago, at a large security conference and exhibition, a journalist chum of mine remarked:
I’ve looked round this show and I cannot see any application of analytics to security issues, yet that seems the obvious way to go.
As it happens, there is at least one company, Cloudmark, that would claim to have been applying Big Data analytics to security issues since 2006 at least.
But in general, the observation was valid. Indeed, it would not be unreasonable to suggest that the majority of the security technology vendors are still extremely fond of selling reactive, post `infection’ tools to defend and remediate individual devices, rather than proactive security management capabilities.
But there is now a growing shift away from end-point defence per se, though that still has an important role to play. But when it comes to cloud-delivered services, there is the growing understanding that the application of analytics to security is the way to go.
Cloudmark’s analytics tools are currently targeted at the service provider market, though CTO Neil Cook agrees that the time was now right for some development and growth in types of business that might exploit the technology. For now, however, its customer base predominantly consists of ISPs and CSPs such as Comcast and PlusNet.
The company’s original objective was to provide an anti-spam service, and it has been offering this since 2006. Customers feed data about all their own customers’ internet and cloud services traffic into Cloudmark, together with all their own and their customers’ observations about that traffic.
So every time an end user labelled something as spam, the Cloudmark system received that information and the details about where it came from, what else came from there, and how the recipients data was collected and stored could be analysed out of the associated logs.
Using this approach, it was soon possible to extend the service to cover provide anti-virus data and, with the latest development, DNS security services.
Using the data, the Cloudmark analytical tools help users identify sources of spam, viruses and Distributed Denial of Service attacks in close to real time, allowing them to isolate and shut down malicious activity not only against themselves but also against individual customers.
According to Cook, the analytical capabilities have become sophisticated enough to be allow prediction of malicious activity, by tracking patterns of online behaviour that are commonly part of such attacks.
This has led to the development of a policy engine, which not only manages anti-spam and anti-virus activities across large Internet and Cloud Service Providers, but has also spawned a recently introduced DNS security service. This can be used to set up the complex rules needed to track user behaviour patterns over time that are often associated with DNS attacks on service provider DNS services. Cook says:
Large service providers now need to provide defence capabilities in-depth, not just one solution, and this means being able to manage across all of them. DNS protection is very important, and up until now it has not been protected. It also means being able to look at activity at the applications level, inside the http: level.
Increasingly, this policy engine is becoming Cloudmark’s core product as users now have the capability to tailor and adapt it to their own security requirements, and link it to their own tools, such as SIEM systems.
Predicting threat
It is also the vehicle behind the increasing ability of the system to provide predictive threat management, says Cook:
It can also help service providers plug some of the security gaps that exist at the consumer end of the network, which Cook suggests is still largely operating in the dark ages where simple processes such as using two-factor authentication are still widely eschewed:For example, in identifying the source of a current spam attack by tracking where the attacker has sourced target email addresses, it is possible to identify other address lists that attacker has downloaded and use that information to predict, and prevent, the next attack.
Consumer routers and other connected consumer products are a major issue now. Most of them have very weak security algorithms and are difficult to update anyway. It is extremely easy for them to be used to highjack DNS so that they can be used to attack businesses. The DNS security services allow the IP to identify a specific consumer router and shut it down, if necessary.
We can also help identify where the traffic should be heading, and redirect it to the right recipient. I know saying 'man in the middle’ is normally a bad phrase in security circles, but we actually are the beneficial man in the middle.
The policy engine at the heart of Cloudmark also opens up the system to new applications possibilities that Cook is now considering. For example, though the company’s basic model is as an on-premise tool within the systems of large service providers and enterprise users, there is now scope for its capabilities to be made available to a wider range of businesses as SaaS, which in turn then opens it up to being the underpinning of specialist security service providers that target specific market niches. It also has potential applications in the Internet of Things marketplace. Cook concludes:
We are starting to offer the DNS security capability as a SaaS service for both the service providers and enterprises.
My take
Not only does the Cloudmark approach show the trend away from reactive end-point defence as core toolset for security in any IT environment with a heavy internet bias, it also shows why looking at 'Big Data analytics’ as technology in its own right is missing the point. The benefit of having predictive security capabilities is something most business managers can understand and latch on to. The fact that it is Big Data analytics at work is irrelevant.