SAN FRANCISCO – Like other organizations, Zions Bancorporation was dealing with increased cyberthreats and had reached “security appliance fatigue.” With every new threat, a vendor would pop up with a new appliance.
The bank had a ton of security data, including Windows and IDS logs, but had difficulty leveraging it for security analytics. Two security information and event management (SIEM) systems helped with log analysis, but Zions reached the limits with existing technology in search of its goal of enabling a data-driven security strategy.
For the Salt Lake City-based bank holding company, the solution was found by leveraging one of the hottest concepts in information security: big data. More specifically, it harnessed information from its disparate security data sources by developing a Hadoop-based security data warehouse.
“Big data is not entirely hype…We think it’s a game changer for the industry,” Preston Wood, chief security officer at Zions said Thursday in a presentation at RSA Conference 2012.
Wood said the strategy for making use of security big data enables the company to mine data across the entire enterprise to speed up forensics investigations and improve fraud detection, as well as overall security.
The warehouse allowed Zions to gather data that was spread across multiple locations, and to keep a couple years’ worth of data, which is better for security modeling, said Michael Fowkes, director of fraud management. The warehouse stores more than 120 different types of data, including transactions, logs, fraud alerts, server logs, firewall logs and IDS logs. After two years of collecting data, it currently stores 120 terabytes.
Zions uses a layer of analytics tools, both commercial and custom, and analysts to mine data. “To derive value from data," Fowkes said, "we obviously need people” who can dig into the data.
Aaron Caldero, data scientist at Zions, said his position represents an emerging field that involves applying statistical methodologies to filter and mine data. He described the process as a different way of looking at data security that enables proactive instead of reactive security.
“Being a data detective, I feel like Sherlock Holmes,” he said.
Fowkes said the biggest benefit with the big data strategy for forensics has been speed. In the past, incident response involved a time-consuming process of examining voluminous log files. “Having that in Hadoop is like having distributed grep,” he said.
Kelly White, director of information security at Zions, said the big data strategy has helped the company to improve threat modeling. For example, the security analyst team had already identified signs of a spear phishing attack, but combining that data with the statistical methodologies boosts the bank’s ability to identify potential attacks.
Account takeover – fueled by malware – is a major security problem for financial firms, Fowkes said, but the intelligence provided via its big data strategy helps Zions to quickly act on intelligence it receives from various sources on malware threats and counter them.
In the future, Wood said, the bank would like to leverage analytics and intelligence for automatic response.
While implementing a similar system may seem daunting to some organizations, Wood told attendees that many of them likely have pockets of the skills needed for data-driven security analytics. Instead of relying on security products and the reports they produce, he advised security teams “to take a closer look at your data and gain that intelligence yourself.”
A big data security strategy isn’t a product you can buy, Wood said. He said organizations can start small and leverage the tools they have, and can investigate business intelligence or open source tools.
“View big data as a journey instead of a destination,” he said.
View all of our RSA 2012 Conference coverage.