G00245789 Realize That Big Security Data Is Not Big Security Nor Big Intelligence Published: 19 April 2013 Analyst(s): Joseph Feiman Security intelligence's ultimate objective, enterprise protection, is mainly fulfilled by security policy enforcement and scanner technologies, not by big security data repositories. Security leaders should prioritize their security strategies and investments based on that fact. Key Challenges Security repositories, even filled with "big" amounts of security data, inherently possess a fundamental weakness: They cannot protect enterprise assets. Enterprises often mistakenly equate "big" amounts of security data (such as SIEM) with security intelligence. Enterprises often mistakenly believe that only big security data repositories are intelligent, while policy enforcers and scanners are not. Recommendations Prioritize investments in policy enforcers and scanners, because they often yield better returns than big security repositories. Invest in having policy enforcement and scanning technologies interact and share their platform-specific intelligence directly. Architect big security data repositories to support security intelligence protection and detection capabilities fulfilled by policy enforcers and scanners. Strategic Planning Assumption Through 2016, 80% of organizations will fail to make big security data useful. Introduction There are two fundamental flaws in the common assumptions about security intelligence (SI):
1. SI is analogous to business intelligence (BI). 2. "Big" collection of security data for example, security information and event management (SIEM) is SI or a mandatory component of SI, and is the key to enterprise security. In this research, we will challenge both assumptions. There is an unfortunate tendency to draw a direct analogy between BI and SI. Yet, there is a fundamental difference between them: BI enables business analytics and advice, while SI must above all enable enterprise asset protection: blocking attacks, filtering malicious input, raising real-time alerts and detecting vulnerabilities with high precision. Policy enforcement is the class of technologies that fulfills the main security objective protection. These technologies include network firewalls, intrusion prevention systems (IPSs), Web application firewalls (WAFs), database audit and protection (DAP), data loss prevention (DLP) and authorization management systems. There is another class of security technologies that plays a critical role: security scanners, such as application, network and database vulnerability scanners. These technologies conduct security analysis, offer remediation advice and can provide input directly to the policy enforcement technologies (such as WAF or IPS) in order to increase efficiency of the latter. Repositories stoked with security data such as SIEM are unable to achieve the ultimate security objective, which is protection of assets. Therefore, they are not SI. They can be part of SI architecture, but they are not the incarnation of SI. Postfactum analytics (typically fulfilled by SIEM and other big security data repositories) is an important component of SI, but its role is to support SI protection and detection capabilities by making them more accurate, cross-siloed and multilayered. It helps to create a unified view of security events across the enterprise, which enables rapid detection of targeted attacks that bypass protection technologies. We argue that the key to security resides in the interaction of numerous detection and protection technologies: network and application firewalls; intrusion prevention systems; authentication managers; database monitors; and application, data and network security scanners of all kinds. They are intelligent technologies capable of detection, analysis and unlike repositories protection against attacks (such as termination or blocking of malicious sessions), rather than just notification after the fact which is the essence of repositories. When practical, they should feed their input into big security data repositories and get back the results of analysis conducted on this big security data. Policy enforcers, monitors and scanners on the one hand and big security data repositories on the other are intelligent, but their intelligence is achieved and expressed differently. Both types of intelligence have their advantages and weaknesses, and should be utilized differently. Policy enforcers and scanners have built-in intelligence, enabling them to act fast, detect vulnerabilities, raise alerts and deter attacks in real time. Big security data repositories have to learn their intelligence: They collect and normalize data, correlate it with contextual data, and then conduct contextual analysis. This enables them to conduct cross-siloed analysis, but does not allow for real-time detection and protection. Page 2 of 7 Gartner, Inc. G00245789
Analysis Understand the Intelligence of Policy Enforcers, Monitors and Scanners Policy enforcers, monitors and scanners do not need to transform security and context data into information, and information into knowledge but such transformations have been preliminarily done, because scanners and policy enforcers have direct access to a built-in knowledge repository and can conduct their detection and protection capabilities intelligently at their runtime. For example, an application security testing technology such as static application security testing (SAST) uses knowledge of hundreds of security programming best practices to check the tested application's code for compliance with these practices, which results in the intelligent detection of a potential vulnerability in the code. Technologies such as dynamic application security testing (DAST) use knowledge of hundreds of attack scenarios to verify whether or not these attacks can harm an application. Technologies such as WAF use their knowledge of attack patterns to see whether these patterns are present in the data stream approaching an application, and therefore can intelligently react to a detected attack (for example, ring an alarm or block the session). Direct access to the knowledge repository enables detection actions, followed by reporting and recommendation on how to remediate and protect after the fact of detection. These enabled actions are mostly automated real-time protection actions and real-time responses to threats (for example, dynamic masking of sensitive data, or blocking SQL injection sessions). One challenge that policy enforcers, monitors and scanners face is that their knowledge repositories are usually siloed (for example, they contain knowledge of only data security, application security or network security), so they have an incomplete view of the attack and defense surface. Another challenge is that enforcers, scanners and monitors often produce only reports of their discoveries and actions, instead of, or in addition to, storing their results in some repository for postfactum analysis that might serve in the enterprise's risk management and resource and budget planning. We recommend having these results stored and shared among various enforcers, monitors and scanners in other words, cross-siloing them, like SIEM does. Utilize the Intelligence of Big Security Data Repositories When Appropriate Big security data repositories or SIEM, as intelligence enablers, offer the advantage of integrating and correlating data across multiple security silos. They can also collect context and enable correlation of security and context. Analyzed security and contextual information becomes knowledge, engendering intelligent (that is, optimal) risk and business decisions, strategic planning, and resource, budget and skill management. It also enables analytics that could be fed into scanners, monitors and policy enforcers to add to the intelligence of the latter. It helps with early breach detection, as well as early detection of targeted attacks and employee misuse of privileges that bypass policy enforcers. SIEM also has challenges. Intelligent actions are based on the analysis, often conducted manually by security personnel, that is conducted not at the real-time moment that the event (such as an attack) occurs. Some analyses are automated and fast enough for SIEM uses cases, but not for real-time protection. SIEM has been expanding its capabilities toward quasi-real-time actions, such Gartner, Inc. G00245789 Page 3 of 7
as alerts and session blocking. It begins profiling applications and other assets and events for anomaly detection, which can be used to call an API to block a transaction in real time. Architect Policy Enforcers, Monitors and Scanners to Interact and Share Their "Not Big" Security Data Most organizations have already invested (and will keep investing) in firewalls, IPSs, WAFs, DLP and DAP, as well as in network, database and application security scanners. We have demonstrated in this research that policy enforcers, monitors and scanners are intelligent technologies. Many (if not most) scanners, monitors and policy enforcers have their own scaleddown repositories that enable platform-specific analytics. These repositories contain such security data as application security vulnerabilities detected by application scanners, or suspicious IP addresses detected by network firewalls. This data can be and often is analyzed in search of better remediation, detection, or protection patterns and practices. There is an evolving trend of having scanners, monitors and policy enforcers interact with one another and share their accumulated knowledge. One of the fundamental principles of SI is to make different technologies work together (see "Prepare for the Emergence of Enterprise Security Intelligence"). The essence of this principle is straightforward: When several technologies collaborate, they can achieve the following critical advantages: (1) The accuracy of detection and effectiveness of protection rises, because discoveries made by one technology can be confirmed or disproved by another, different technology; and (2) the breadth of coverage is expanding, because several technologies, when they work together, typically cover a broader spectrum of phases and processes than each technology can in isolation. For example, a DAST scanner can share its knowledge with a WAF, making the WAF more accurate in attack prevention. 1 In turn, a WAF monitor can share its knowledge with DAST, making DAST more accurate in its security vulnerability detection (see "Application Security Detection and Protection Must Interact and Share Knowledge"). Today, many policy enforcers are used in monitoring mode due to a fear of their inaccuracy, but their interaction and knowledge sharing with other technologies such as DAST make organizations more willing to turn a WAF from monitoring to enforcing mode because of increased accuracy. A static data masking (SDM) technology can share its knowledge of discovered (scanned) sensitive data with a dynamic data masking (DDM) monitor, thus making the latter more intelligent (for example, more accurate) for real-time data protection (see "Securing Production Data With Dynamic Data Masking"). SAST and DAST scanners share their knowledge to improve the overall accuracy of vulnerability detection. An interactive application security testing (IAST) technology enhances accuracy of vulnerability detection by making static and dynamic components of its technology interact in real time (see "Evolution of Application Security Testing: From Silos to Correlation and Interaction"). This interaction of scanners and monitors does not require big security data repositories like SIEM. Their interaction among themselves is cost-effective and technologically effective, and yields strong detection, prevention and protection capabilities. We believe that the next wave of market consolidation will be fulfilled by policy enforcer or monitor vendors acquiring scanner vendors (and Page 4 of 7 Gartner, Inc. G00245789
vice versa) to enable a higher degree of security intelligence through interaction of those technologies. However, big security data repositories offer important analytical capabilities. Their immediate value is apparent when an exploit has taken place and preventive controls have proven ineffective. Repositories can help to identify the combination of events that could lead to an exploit, and help to enable early detection of breaches. Such analysis can help advance the accuracy of detection and prevention systems, and postfactum analytics of big repositories can feed security policy enforcers and scanners with additional knowledge, thus enabling them to act with higher accuracy. This is the area that distinguishes enforcers and scanners from repositories: Security policy enforcers and scanners enable attack protection and prevention, while security data repositories increase the potential to enhance accuracy and breadth of enforcers and scanners. Recommendations: Security leaders seeking to increase their enterprises' SI: Invest in having already owned policy enforcement, monitor and scanning technologies interact with one another. Evolve "not big" platform-specific data repositories collected by monitors, policy enforcers and scanners, and make them share knowledge with one another. When possible or necessary, invest in acquisition and operation of SIEM or any other big security data repositories. Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Prepare for the Emergence of Enterprise Security Intelligence" "Application Security Detection and Protection Must Interact and Share Knowledge" "Evolution of Application Security Testing: From Silos to Correlation and Interaction" "Enterprise Content-Aware DLP Architecture and Operational Practices" "Best Practices for Managing Identity Data and Log Models to Optimize Identity Data Quality" Evidence 1 Sample vendors enabling DAST-to-WAF knowledge sharing: DAST vendor WhiteHat Security offers native integration with F5 and Imperva WAFs, as well as Sourcefire's Snort IPS engine. Other vendors' WAF or IPS can be supported via XML API. Gartner, Inc. G00245789 Page 5 of 7
DAST vendor Cenzic offers a feature that exposes generic XML-based vulnerability protection information produced by its DAST analysis for Barracuda Networks, Citrix, F5, Imperva and Trustwave WAFs. DAST vendor NT OBJECTives introduced technology that generates rules for WAF and IPS, with-out-of-the-box support for ModSecurity, Sourcefire Snort, Nitro Snort, Imperva and DenyAll. Page 6 of 7 Gartner, Inc. G00245789
GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 USA +1 203 964 0096 Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit http://www.gartner.com/technology/about.jsp 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. Gartner, Inc. G00245789 Page 7 of 7