My friends on Wall Street and Sand Hill Road will likely place a number of bets on big data security analytics in 2014. Good strategy as this market category should get loads of hype and visibility while vendor sales managers build a very healthy sales pipelines by March.
Yup, there should be plenty of opportunities for big data security analytics to enter the enterprise security mainstream because of:
- Continuing problems with incident detection and response. Existing monolithic security analytics tools are no match for advanced malware, stealthy attack techniques, and the growing army of well-organized global cyber adversaries. When CISOs get finished buying advanced malware tools from Bit9, Damballa, FireEye, and Invincea, they often realize that they still need to supplement new layers of defense with real-time and asymmetric big data security analytics. This will generate RFIs/RFPs, evaluations, and actual sales.
- Moore’s law and open source. Multi-core 64-bit Intel servers with 10gbps network interfaces are lightning fast and relatively cheap. These boxes have the necessary horsepower for massive data crunching for stream and batch processing – the yin and yang of big data security analytics. On the software side, security vendors are accelerating development cycles by customizing open source tools like Cassandra, Hadoop, MapReduce, and Mahout for security analytics purposes. This should help to accelerate innovation.
- Tons of activity on the supply side. Aside from the usual suspects like HP, IBM, McAfee, and RSA Security, CISOs will likely field calls from a list of newcomers. Some, like 21CT, ISC8, Hexis Cyber Solutions, Leidos, Narus, and Palantir will move beyond government business alone and push into the private sector (also, don’t be surprised to see some Washington giants like Booz Allen, Lockheed, and Raytheon as well). Others, like Click Security, Fortscale, and Netskope (Note to CISOs, be open minded here and cast a wide net. Some of these new vendors have intelligence backgrounds and understand this stuff to a greater degree than pedestrian security sellers).
So there is market demand, supportive technology trends, and lots of innovators. What’s more, this stuff actually is built on brainy mathematical models and algorithms that can really, really work. What can possibly hold this market back then? Unfortunately, there are a still market hurdles like:
- User education. To really get big data security analytics you need pretty deep understanding of technical elements like switching/routing, operating systems, logs, flows, IP packet meta data, DNS, applications, DHCP, network/endpoint forensics, malware properties, malware behavior, and known threat vectors. Oh and you may need data architects, statisticians, and data scientists help as well. Some enterprises have a few, but not many people with these skills and they are incredibly hard to come by these days. Others will need their hands held through lengthy research, education, and requirements gathering. These activities will put the kibosh on a lot of deals.
- Big data security analytics is a solution, not a product. Even if you know all of the topics listed above, you still have to figure out how to glue it all together in your organization. What data should you collect? How will you collect it? Do you have the right processes and procedures to design, deploy, and operate big data security analytics? Where do you start and how do you proceed? This is antithetical to the historical security practices at many firms who’ve simply reacted to new threats by purchasing the latest security widget Du Jour. Unfortunately, this tactical approach won’t work here -- the questions listed above can’t be circumvented or ignored. Note to CISOs: If a vendor tells you it has a turnkey solution, show them the door as fast as you can!
- Security analysts will need to be sold on new types of analytics tools. Security analysts working in the SOC are a quirky crew. In general, they are cynical, highly-technical, impetuous, and independent. They tend to base their security analysis on instincts and follow an asymmetric investigation process that involves open source tools, Excel pivot tables, and scripts. These folks are really good at what they do but often fully-utilized with little wiggle room for more work. Oh yeah, it’s also really hard to recruit and hire them as well. The SOC and security analyst team needs to fully support and buy into any big data security analytics project from start to finish. Smart CISOs will make sure that vendors provide trainers with skills and experience that align with this team. Furthermore, security analysts must be willing to change processes and workflow for investigations to fully utilize big data security analytics systems.
On balance, I expect strong interest and growing revenue for big data security analytics solutions in 2014. Nevertheless, there is lots of work ahead. Vendors must prepare for enterprise challenges with the right services, communications, education, architectures, and industry partnerships to help CISOs navigate through complex planning, deployment and operations. Alternatively, enterprise organizations must go into big data security analytics projects with eyes wide open, and be ready for a lot of technical details, architectural decisions, and process changes.