These devastating attacks to infiltrate and steal highly sensitive data, sometimes called advanced persistent threats (APT), are driven by human actors able to effectively hide their malevolent presence within networks. Today, says MacDonald, we just don't know what "goodness" and "badness" looks like in terms of network activity. "You have to know what goodness looks like" to understand "deviations from goodness," he points out.
Big data is offering new possibilities for security analysis, which could mean that one type of security tool used today, security information and event management (SIEM), and tools like it that may not properly adhere to that genre, will have to evolve, analysts contend.
To some extent that has started already today, says MacDonald, pointing to RSA's threat-detection product NetWitness and the HP ArcSight SIM, among others. Some startups, including CrowdStrike, are claiming they will tackle the APT problem in new ways.
But will SIEM evolve to be able to process business-related big data or not? And is the whole idea that business data be added into more traditional SIEM data from a variety of firewalls, servers, IPS and the like to provide meaningful intelligence on an attacker simply a pleasant illusion?
"People can't get the answers they want from SIEM tools," said Forrester analyst John Kindervag. He said something new is going to have to happen, in which SIEM tools might be a part.
Of all the analysts on the RSA panel, Jon Oltsik with Enterprise Strategy Group, appeared the most skeptical that Big Data is going to be the answer to the APT problem.
"My fear is we'll capture more data and not know what to do with it," Oltsik commented. He said chief information security officers (CISO) in the enterprise today aren't sold on the idea that big data is going to somehow be a special boon to security. "When I talk to CISOs and ask about big data, they laugh," he commented.
Still, some early adopters of big data security approaches are hopeful.
Zions Bancorporation has set up a massive repository for proactively analyzing a combination of real-time security and business data in order to identify phishing attacks, prevent fraud and ward off hacker intrusions. Announced last October, it's based on the Zettaset Data Warehouse which makes use of Hadoop for data-intensive distributed applications. Preston Wood, chief security officer at Zions, has described it as a way to augment a SIM tool and look at massive amounts of historical business data for security purposes.
SIEM vendors, including NetIQ, say they know the buzz around big data and security is just beginning.
"This is where SIEM has to go," said Matt Ulmer, director of product management at NetIQ, maker of the SIEM called Sentinel. Ulmer said the industry is starting on a path to re-invent SIEM by incorporating business intelligence. Big data could detect what's out of a normal pattern, says Ulmer, noting Sentinel 7.0 does incorporate more context for data.
"But how do you define the good?" Ulmer asked, pointing out an attacker "will take over an account, so the question is, is that the employee or the attacker?" He said stealthy attack actions may only pop up for a few seconds at most every day, so the goal is to define the trusted insider from the attacker. Big data may be able to provide a lot of assistance in that.
But Ulmer adds that there appear to be many practical reasons why the big data concept for security is going to be faced with obstacles.
One practical obstacle is the current push to put enterprise data into cloud computing, which is making it harder for the traditional SIEM approach, which has been used on premises inside the enterprise network. Another obstacle is that security managers hopeful about big data will be in the position of drawing up data-management strategies and recommendations about something that remains very cutting-edge today. In an era where other corporate issues, such as whether to adopt "Bring Your Own Device" for mobile devices are already a big topic with management, adding big data could be a hard sell.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.