Splunk and the Cybersecurity Act of 2012

“The United States confronts a dangerous combination of known and unknown vulnerabilities in the cyber domain, strong and rapidly expanding adversary capabilities, and limited threat and vulnerability awareness.”[1]

I recently listened to the final set of hearings on The Cyber Security Act of 2012. The bill was developed, “…in response to the ever-increasing number of cyber attacks on both private companies and the United States government.” The bill is really about critical infrastructure protection as may be managed, owned or operated by either the government or the private sector.  It’s a bi-partisan bill and combines efforts from past sessions from the Senate Committees on Commerce, Homeland Security and Governmental Affairs, and Intelligence Committees. The bill would empower the Department of Homeland Security the responsibility to:

  • Conduct risk assessments to determine which sectors are subject to the greatest and most immediate cyber risks
  • Determine in partnership with the private sector cybersecurity performance requirements based upon the risk assessments of critical infrastructure systems and assets
  • Assets covered would be those whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations.

The bill promotes information sharing between the public and private sector but also takes into account civil liberties and privacy. Finally, it seeks to improve the Federal Information Security Management Act (FISMA) by amending it to move “agencies away from a culture of compliance to a culture of security by giving the Department of Homeland Security authority to streamline agency reporting requirements and reduce paperwork through continuous monitoring and risk assessment.”

The bill also would emphasize “red team” exercises and operational testing to ensure federal agencies are aware of their network vulnerabilities.

Where a Splunk big data security strategy fits

Having a big-data-for-security strategy is crucial for reducing risk for both private and publicly-operated critical infrastructure systems. As a big-data analytics platform that can collect any data type and scale to collect tens of terabytes of data per day, Splunk can analyze patterns in structured and unstructured data, allowing the user to pose questions to the data representing IT risk-based scenarios. By analyzing patterns in large data sets with analytics, users can observe business processes and human or machine behaviors and judge whether these are in compliance with company policy or far from norm. The same can be said for critical infrastructure where in a smart grid, a shut-off of power is observed in the data which could then be correlated with a work-order system to know if the shut off was legitimate. If this is deemed illegitimate shut off, this information should then be further correlated with service truck GPS data to know who might be in the area.

Recognizing and understanding anomalous activity patterns of machine or human behavior is particularly important for “red team” exercises where imagination, creativity and role-play help the security team think like the attacker. Once these “red team” exercises are complete Splunk can operationalize the red team scenarios and monitor for abnormal patterns in normal user activities.

A big-data for security strategy can illuminate unknown threats, harness the creativity of the security team, provide continuous monitoring and situational awareness and streamline agency reporting for FISMA.

John Kindervag, Senior Analyst, Security & Risk Management at Forrester Research, Andrew Hay, Senior Security Analyst for 451 Research’s Enterprise Security Practice and I will all be discussing the role big-data plays in a new security strategy at South by Southwest (SXSW).

[1] Department of Homeland Security Secretary Janet Napolitano, in testimony to the Senate Committee on Homeland Security and Governmental Affairs on February 16, 2012.

Posted by