The big data security analytics market is in its genesis with enterprise players (HP, IBM, RSA Security), security vendors (Lancope, LogRhythm, McAfee, Solera Networks, Splunk), government integrators (Boeing (Narus), LexisNexis, SAIC), and startups (21CT, Click Security, Packetloop, RedLambda) all jumping into the water. CISOs should expect abundant innovation and lots of competition over the next few years.
Given this market movement, how can security professions judge the roadmap for big data security analytics solutions? Moving forward, ESG believes that leading solutions will push innovation in five key areas:
- Intelligent algorithms. Bleeding-edge organizations like Zions Bank had teams of programmers, data scientists, and subject matter experts to roll their own big data security analytics solution, but few organizations have these resources or budgets. This market reality means that security vendors must fill this hole with canned analytics and algorithms. For example, ESG sees a lot of promising innovation in machine learning algorithms and cluster analysis designed to improve the scope and intelligence of anomaly detection. Future development in this area will include “nested algorithms” where individual machine, network, or application behavior patterns are combined for more systemic behavioral analytics.
- Visualization. Data visualization for security remains extremely elementary, dominated by pie charts, graphs, and Excel spreadsheet pivot tables. Visualization technology is an emerging area today but there is an increasing amount of research and development happening, primarily in places like U.S. national labs and academic institutions. Additionally, the annual VizSec conference in Atlanta Georgia (www.vizsec.org) is dedicated to the study and proliferation of data visualization for cybersecurity. Over time, CISOs should expect big changes in this area, with new types of visualization hardware, tablet-like data manipulation, and 3-D graphics for pattern matching, risk scoring analysis, and data pivoting.
- Security analyst affinity. Security analysts tend to conduct investigations with haphazard methodologies, pivoting from one query to the next using spreadsheets, scripting, and SQL. Smart security vendors will study these methods and skills, using them as input for future functionality of big data security analytics solutions. For example, Apache Pig (i.e., Pig Latin) abstracts Java MapReduce programming to a format that resembles SQL. Given this, it makes sense to use Pig for big data security analytics since most security analysts are familiar with SQL but not necessarily Java programming. Similarly, security analysts often have dozens of individual windows open on their desktops to support ongoing security investigations. Tools that enable security analysts to modify data views and redirect queries with ease will improve upon current open windows investigative tactics.
- Network-wide and cloud-based data sharing and cooperation. Successful big data security analytics vendors will encourage a network community of customers, developers, analysts, and security researchers. The goal? Share security intelligence, best practices, algorithms, and use cases amongst a community of interested parties. For example, financial services vendors may share discoveries about phishing scams while e-commerce vendors collaborate on fraud detection. In the best cases, individual security professionals will be able to connect and cooperate together with facilitation, but not interruption, from big data security analytics vendors.
- Additional security services. Aside from incident detection and security investigations, there is already big data security analytics product development in other areas such as risk management, regulatory compliance, and fraud detection. It is likely that these kinds of big data security analytics will develop with a mix of real-time and asymmetrical product capabilities. For example, big data security analytics for real-time risk management will provide continuous monitoring for situational awareness, rogue assets, configuration management, and vulnerability detection while asymmetric big data security analytics for risk management will be used for risk management planning, scoring, and investment decisions. Organizations can use asymmetric big data security analytics to develop risk scores that help them better focus resources, investment, and security priorities to where they are needed most.
Product and SaaS providers that focus on feature/functionality in these 5 areas will become big data security analytics leaders over the next three to five years. This is a very big market opportunity so expect a lot of churn, excitement, hyperbole, and technical advancement.