RSA Conference 2016 is now done. There were about 40,000 attendees, 500+ vendors, and countless hallway conversations. Key to this year’s conference was analytics. You could not walk the show floor without hearing someone extolling the virtues of one analytics product or another. Analytics was big. Of course, that was not all there was on the show floor. There were the typical identity solutions and even a few atypical ones, firewalls, and other items we would expect. But analytics reigned.
Analytics can help with many things, but only if it is well thought out. Why? Because analytics usually requires a huge amount of data to make any decisions. The more—and the more diverse—the better. The conference’s Innovation Sandbox included the following analytics tools, among others:
ProtectWise, which provides a DVR for network packets so that you can analyze current as well as past networks. This allows new algorithms to use older data to find hidden meaning that extends to the present.
Bastille, which provides a unique way of looking at RF signals emanating from your personal devices to come up with a new form of identity: an RF identity that represents a person. It also finds open devices, etc. This can be used to track individual devices and requires a bit of analytics.
SafeBreach combines analytics with the ability to white-hat attack your systems in an intelligent way, to gain information about your network of servers and devices while keeping them alive. At the core are the tools to do the white-hat attacks, but it needs a bit of analytics to ensure the wrong ones are not used maliciously. Think Chaos Monkey from Netflix without the chaos.
On the show floor were even more, such as the following:
ThetaRay, which looks at data in a different way. Instead of concentrating on the data itself, it concentrates on the differences between data. This provides an interesting intersection for analysis and detection possibilities.
BehavioSec, which uses analytics to provide a different factor of authentication by measuring and computing the rhythm of use of a device, in many ways providing continuous authentication. This is very heavy on the math, but once again, a very interesting approach.
Then there are the standards in analysis that look at log files and other data of that ilk, such as Splunk, LogRhythm, and others, as well as nearly any SIEM tool.
There were analytics to solve every problem you have from a security perspective, and that itself bothers me. Why? Mainly because the presenting companies, other than those in the Innovation Sandbox, did not share the basis of their analytics tools. Some even suggested that they did more than they actually do. I saw many that were limited to one particular problem with no expansion capabilities for other use cases.
Some tools bypassed analytics altogether: no need to analyze code, just use a new way to represent the language so that analytics are no longer required. That is what Prevoty (also within the Innovation Sandbox) presented. Its LANGSEC approach to coding applications removes the need to have heavy analytics for breach detection by doing all interpretation at the language level. There were also tools like Menlo Security and Bromium, which just do not care about analytics. They safely allow the detonation of malware and virus-infected code to run without infecting anything outside their container technologies. Granted, they are very different, but they are also very powerful tools. Why do analysis when you can prevent attacks?
Even when tools prevent attacks, they also have built-in capabilities to provide analytics, so that you know which attacks they are defeating as well as which are prevalent in a given vertical. This information will help with the architecture and design of future products.
No matter which approach you wish to take, analytics is a part of that approach. And it should be. And they should be expanded upon, not just there to solve one problem. How do you use analytics to help secure your environment?
To view all the Innovation Sandbox videos, go to:
These are well worth the viewing!
Share this Article:
Latest posts by Edward Haletky (see all)
- Scale and Engineering - March 23, 2017
- SDS and Docker: The Beginnings of a Beautiful Friendship - March 21, 2017
- Security Operations Center: Not Just Visibility - March 14, 2017