The software-defined data center (SDDC) requires a new breed of security tools that not only handle the velocity of data being generated within a secure hybrid cloud but also handle the volume and variety of data. In fact, this new breed of security tools uses big data backends to manage the data being received, though it asks different questions of the data than normal for the products: security questions. The new breed of security tools either started as some form of performance management tool or employs performance management techniques to provide the data to to be queried. Bernd Harzog has been writing about the SDDC management stack for some time now. However, he has been leaving the security component relatively empty, because until recently (within the last few months), very few products actually fit the requirements of the stack (Figure 1).
Those requirements include integration with other tools as well as being able to use self-learning analytics on data stored within a big data repository. The analytics must automatically learn about the environment and provide insight into what is happening within the environment as well as automatable remediation. In addition, from a security perspective, the tools need to look at the problems from a nontraditional approach. Traditional approaches currently use signatures and other well-known fingerprints to detect attacks. This is a losing approach, as hackers do everything they can to hide their signatures and fingerprints. In fact, there are many ways in which they can employ masking tools so that most antivirus and antimalware vendors would never see the software. To combat malware, we need a new approach: an approach discussed in the white paper Using Application Performance Management for Security.
The approach is to use software that records data as it is accrued and to determine if any new data is outside the norm for an application. If any data is outside the norm, then act upon it. Actions to take could be a workflow, automatic remediation, or just setting up alerts. Determining what is normal for an application requires big data and analytics, which are also a major part of my own Secure Hybrid Cloud Reference Architecture (Figure 2).
Yet even with the advances of the new breed of security tool, there is still a problem with how to get log data from your SaaS or PaaS applications into your big data repository regardless of where it lives, whether in the data center or the cloud. The architectures overlap around big data repositories and analytics (as well as several other areas). The key is that we need to understand our applications, how the users use those applications, and how our data moves within the applications. To do this, we need first to understand what is considered normal behavior. Once we have normal behavior down, we can then target the abnormal. To get our data from cloud resources into our big data repository, we can depend on the logging capability of the clouds and applications or find some way to tap the important parts of that data stream. Application performance monitoring (APM) tools can tap that data stream for us, yet there is also a new breed of tools for getting better security-specific logs out of clouds.
The products of interest are:
- Adallom: Provides a way to retrieve security-related data from cloud services. In essence, Adallom records sessions and allows for the raising of security alerts and feeding of data via syslog into other log engines, such as Splunk, for other analysis.
- DB Networks: Provides a database-specific tool that looks for the myriad SQL injection attacks, lives very close to the data, and produces behavioral analysis based on SQL statements issued. What is outside the norm or even an outright SQL injection attack warrants further investigation.
- Splunk App for Enterprise Security: Provides a way to query all the Splunk data you have in your repository for security alerts. The Splunk community adds to the queries available for security purposes.
- Prelert Anomaly Detective 3.0: This uses its APM data as the basis to look for abnormal events that are related to security issues, such as sending and receiving data from your normal mechanisms.
- An AppFirst approach to APM provides a way for AppFirst to monitor log files as well as to search them for security-related elements based on a growing set of queries.
There are also some open-source approaches to this method of analysis that, instead of looking for the needle in the haystack, remove the haystack from the picture. There are events in logfiles and any big data repositories that can be ignored because they are considered normal behavior. When you sift through that data, what is left over is considered abnormal. However, once this method of analysis is known, attackers will try to behave more like normal applications, which is why many web application firewalls fail. The tools mentioned and those under development fall into a different category, as they wait for the attacker to perform the abnormal act to access the data, break the system, or delve further into your network.
We can no longer live within signature-based security. We need to apply behavioral analysis to determine what is normal behavior, what is suspect behavior, and what is a security breach. By first ruling out what is normal behavior, we have a much smaller chunk of data to query, and we can then go back into the mass of data available and find how the attacks began. Attackers are crafty; we need to first get the data to analyze and then analyze the data in an intelligent manner via self-learning analytics. Only then can security tools fit within the future of the SDDC management stack of the secure hybrid cloud.
What questions do you ask of your self-learning analytics tools for security purposes?