Cloud security - a chain is as strong, as it's weakest link!

© 2011-2013 Cloudspread. All rights reserved. The Cloudsprea logo and Cloudspread are registered trademarks. Other product and company names are the trademarks or registered trademarks of their respective owners. This case study is for informational purposes only. CLOUDSPREAD MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Cloud Security

Cloud Security ensures encryption and key

management software that helps

organizations lock down virtual machines

and their data so they remain secure

throughout their life-cycle in the private, public or

hybrid cloud. Broadly speaking, it does. But, there is

more to it. We need to see a holistic picture of the

cloud pointing to the security check points. There are

numerous of end points to be considered to get a

feeler that how exhaustive this intangible monster

could be? Let’s look at the various aspects of the

cloud that we must discuss and take a deep dive to

get a thorough understanding to build a security, we

can trust! Let’s step back a little before we take a long

jump.

The advent of Internet, as we know, it started as a public sector project that quickly transformed, into what it is today - a large, interconnected network that never turns off and connects an unimaginable number of different devices in the public and private sectors. Moreover it includes those that control the financial system, critical infrastructure, and a number of other devices used in different industries. Well, the same question arises, as it did earlier, more than a decade ago, how do

we secure it? Today, the ‘Cloud Security’ is picking up the momentum to the same magnitude. Every organization has its own security parameters defined to defend their

http://www.cloudspread.in/



applications, data, and devices that are exposed to threats from the outside world. And, they have policies, procedures, standards, firewalls, built in architectures in their application design, and numerous check points in their infrastructure network to secure themselves. If we observe carefully, most of such measures taken by the organizations have become standards acknowledged in the Information and Communication Technology (ICT) space and the non-IT industries at large. Well, the onus is on the technology companies, ISPs, and the IT community to ensure that the fundamentals of the cloud computing is not compromised and so is the ‘Cloud Security’. In fact, the entire cloud community, small-medium businesses, large enterprises, public sector organizations, and the educational institutions must have their facts right at the first place, to sync in the standard procedures and best practices required to offer the benefits derived from the cloud computing. As long, we are committed to offer a credibility in a secured cloud model to the end users, we can build a stronger environment to spread the benefits of the cloud technology to the masses, who can be no more reluctant to use it, in their everyday life. Again, going back to Internet evolution, we had similar challenges, but this time stakes are really high!!

There are many challenges that needs to be addressed. For instance, understanding cyber-risk: the nature of the company’s activities, serious data breaches that occur either through basic human error and/or as a result of sophisticated unethical hacking activity. How do we model threats, security resources, controls and outcomes: First, we need to understand what is ‘Threat modeling’? It is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of threats to the system. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial-of-service attack) or incidental (such as the failure of a storage device), and that can compromise the assets of an enterprise. The key to threat modeling is to determine where the most effort should be applied to keep a system secure. This is a variable that changes as new factors develop and become known, applications are added, removed, or upgraded, and user requirements evolves. What are the ‘Security Resources’ available? How do we deal with sophisticated attacks? How do we automate security building trusted network infrastructures? What to monitor in terms of privacy? How do we address assurance and privacy? Friends! We cannot ignore the service lifecycle management (describe, customize, deploy, adapt, migrate, and tear-down) to the ‘Big Data’ security in a large scale cloud infrastructure. Where is this ‘Big Data’, and ‘Cloud’ that we are trying to secure? We talk all the time at the coffee vending machines, water cooler chit chats, board rooms, and so on, about the so called ‘Buzz Word’ that has not only acquired a pace over a period of time, but has been well acknowledged across the industry to make a lot of sense that can be easily seen through speed and benefits we have acquired in our everyday lives. How can we ignore when both the words have ‘Big’ and ‘c-Loud’ in it?

The cloud is everywhere! Well, that's what the marketing folks would have us believe, anyway. For security professionals, migrating systems, applications, and data to the cloud presents a new set of challenges to tackle. What kind of policies do we need, and how


can we work with legal teams to incorporate rules and policies into the binding contracts protect interest of cloud creator, provider and the end user? How can we protect sensitive data with encryption, intrusion detection and prevention, host and network access controls? Can we extend identity and access management tools and processes into the cloud?

Fundamentally, the cloud represents a move towards an environment, where information security teams are giving up some measures of control over how data and applications are protected. Due to capital and operational cost savings, cloud-based services are becoming more attractive to business and organization leaders, and information security teams will need to understand their options well, when presenting the risks involved to the management. In Cloud Security Fundamentals, our goal is to arm information technology security teams with the knowledge they need to assess risks in moving to the cloud. Everyone - Managers, auditors, sys-admins, and network administrators will be benefited, as we take a deep dive into the technologies available for securing cloud-based assets, while covering all the policies, processes, and compliance considerations that go along with this major technology shift.

Let’s look at some of the key check points, where we can ensure that most obvious entry points to break-in the environment are gated and seamlessly integrated. When developing our cloud security strategy, we need to make sure it aligns with our overall IT security strategy and is an integrated component of our IT and Business environment. We shall discuss – how to manage identities and user access, how to monitor and audit application and data, how to scan and protect network from threats in a cloud environment, and how to establish intelligence across the cloud? Let’s start with Identity and Access Management.

Manage Identities and User Access

Identity and access management, what does that really mean? Whose identity we are talking about? Why do we need to manage it? How is this going to make our cloud secure? Do you know what it is? True! It is merely a process to securely managing the entire life cycle of digital identities, the profiles of people, configuration interfaces, systems, and services, as well as the use of emerging technologies to control access to company resources. As we know digital identity is the representation of a set of claims made by a ‘digital subject’ including, but not limited to, computers, resources, or persons about itself or another digital subject. The goal of identity management, therefore, is to improve companywide productivity and security, while lowering the costs associated with managing users and their identities, attributes, and credentials. According to Verizon 2013 Data Breach Investigations Report, 14% of breaches tied to insiders, privilege misuse.


On the other hand, access management is the process of regulating access to information assets by providing a policy-based control on, who can use a specific system based on an individual's role and the current role's permissions and restrictions. When combined, these two processes form the foundation of an effective IAM (Identity and Access Management) program. We need to have a robust ‘IAM’ strategy. Something that can make a combination of processes,

technologies, and policies enabled by software to manage user identities throughout their life cycle. More specifically, the goal of IAM is to initiate, capture, record, and manage user identities and their related access permissions to proprietary information and other company resources. User identities can extend beyond corporate employees and include vendors, customers, floor machines, generic administrator accounts, and electronic access badges. Let’s examine some of the challenges that can make our task even difficult. A chain is as strong, as its weakest link, and when it comes to IT security. IAM is the weakest link in many organizations. For example, many IT departments store identity credentials as data objects in different data repositories. Because these organizations can have hundreds of discrete identity stores containing overlapping and conflicting data, synchronizing this information among multiple data repositories turns into a challenging, time consuming, and expensive ordeal. Especially, if the data is managed through the use of manual processes or custom scripts.

Another key challenge is related to cost. As a general rule, the costs of managing user identities should be as low as possible to ensure a reasonable return on investment in the IAM project. Too often, identity management projects become too large or cumbersome to finish on schedule; after all, there will always be more applications to integrate into the system. This can be accomplished by scaling identity life cycle management activities efficiently across various applications and network resources and employing as little staff as possible to manage IT applications.

Monitor and Audit – Applications and Data Security

Moving on to our next milestone in a cloud security environment is; to Monitor and Audit – Applications and Data Security. Let’s see the application security to begin with. Broadly speaking, it is nothing, but the use of software, hardware, and procedural methods to protect applications from external threats. During an application development phase, if an afterthought persist in software design security, it becomes an important concern latter, as application becomes more accessed over networks. As a result, expose it’s vulnerability to larger and wide variety of threats. To prevent this occurrence, security measures built in the applications and a strong application security routine could minimize the likelihood of an unauthorized code to manipulate applications to access, steal, modify,



or delete sensitive data. Actions taken to ensure application security are sometimes called countermeasures. The most basic software countermeasure is an application firewall that limits the execution of files or the handling of data by specific installed programs. The most common hardware countermeasure is a router that can prevent the IP address of an individual computer from being directly visible on the Internet. Other countermeasures include conventional firewalls,

encryption/decryption programs, anti-virus programs, spyware detection/removal programs and bio-metric authentication systems.

This is not enough, we need to raise the security bar. Application security can be enhanced by rigorously defining enterprise assets, identifying what each application does (or will do) with respect to these assets, creating a security profile for each application, identifying and prioritizing potential threats and documenting adverse events and the actions taken in each case. This process is known as threat modeling. In this context, a threat is any potential or actual adverse event that can compromise the assets of an enterprise, including both malicious events, such as a denial-of-service (DoS) attack, and unplanned events, such as the failure of a storage device.

Today, companies understand very clearly, the importance of auditing the compliance of IT systems, which host their applications and data, to assess effectiveness in enforcing their corporate, industry or government requirements and policies. As a baseline, consumers should expect to see a report of the cloud provider's operations by independent auditors. Unfettered access to essential audit information is a key consideration of contracts and SLA terms with any cloud provider. As part of any terms, cloud providers should offer timely access to and self-management of audit event, log and report information relevant to a consumer's specific data or applications.

We have established fair ground to identify certain areas that are crucial and must be considered. What are those vital areas and considerations that we cannot overlook? Well, security compliance tends to be a significant element of any compliance framework. There are three significant areas where the consideration of security methods for cloud computing are of particular interest to cloud consumers and to the auditors: Firstly, understanding the internal control environment of a cloud provider, including risks, controls and other governance issues when that environment touches the provision of cloud services. Secondly, access to the corporate audit trail, including workflow and authorization, when the audit trail spans cloud services. Thirdly, assurance of the facilities for management and control of cloud services made available to cloud consumers by cloud providers and how such facilities are secured. Finally, understanding the control environment of a cloud provider. Does it ensure isolation of consumer application and



data in shared, multi-tenant environments? Does it provide protection to consumer assets from unauthorized access by the cloud provider staff? Do they manage the necessary associated information to enable forensic analysis to understand how any particular incident occurred, what assets were compromised and what policies, procedures and technologies need to be changed to prevent recurrence, along with any additional security controls that need to be established.

The most crucial part of the cloud security lies in its binding and measurability of services rendered out of a cloud, an important

consideration to be taken into account. It is critical that privacy issues are adequately addressed in the cloud contract and service level agreement (SLA). If not, the cloud consumer should consider alternate means of achieving their goals including seeking a different provider, or not putting sensitive data into the cloud computing environment. For example, if the consumer wishes to place, The Health Insurance Portability and Accountability Act (HIPAA) ‐ covered information into a cloud computing environment, the consumer must find a cloud service provider that will sign a HIPA business associate agreement or else not put that data into the cloud computing environment.

Integrity check, how do we ensure that ‘application whitelisting’ or ‘Blacklisting’ could be helpful in a cloud scenario. We have done in the past in a typical extra layer of malware defense, to our IT application environment earlier. May be it can form a part of policy for us to continue that way securing the application from a preventive stand point of view. Application security poses specific challenges to the cloud provider and consumer. Organizations must apply the same diligence to application security as they do for physical and infrastructure security. If an application is compromised, it can present liability and perception issues to both the cloud provider and to the consumer. Especially, if the ultimate end users of the application are customers of the consumer rather than employees J In order to protect an application from various types of breaches, it is important to understand the application security policy considerations based on the different cloud deployment models. We cannot ignore the fact from the consumer’s point of view that there is a cost to the consumer to ensure these considerations are applied. Friends!! The cost are typically built into technology, resources, interventions, and audits. However, these costs are peanuts, if we compare to the potential liability damages and loss of reputation from an application security breach could have occurred in its absence to save cost. Something that is not worth saving, the loss is irrecoverable!

Scan and Protect the Network from Threats



How do we protect our cloud network infrastructure? Do we need to scan and protect the network from threats – Server and Network Security? Where this network infrastructure does resides in the cloud? Are these the same data centers? Well, the word ‘datacenter’ has long evoked images of massive server farms behind locked doors, where electricity and cooling were as important as network security to maintain reliability and availability of data. Perimeter security controls are the most common approach taken for traditional datacenter security. This approach typically includes perimeter firewall, demilitarized zones (DMZ), network segmentation, network

intrusion detection and prevention systems (IDS/IPS) and network monitoring tools. According to Verizon 2013 Data Breach Investigations Report, the proportion of breaches incorporating social tactics like phishing was four times higher in 2012. Last year, 76% of network intrusions exploited weak or stolen credentials. By now, we are well familiar with concepts of ‘Data Centers’, and ‘Virtualization’, it been serving the industry for a while. We have witnessed the tremendous favorable results of these concepts that has brought us a long way!! Here again, it pops a question, how good these concepts are from a cloud security point of view. Do we need to integrate these concepts more securely to facilitate a secure cloud environment? True! We need to analyze the Virtual Machines from a cloud security stand. Talking about virtual machines, which contain critical applications and sensitive data, off premise to public and shared cloud environments creates security challenges for organizations that have relied on network perimeter defense as the main method to protect their datacenter. It has triggered our concern to revoke compliance and breach security policies issues. Yes, we cannot ignore it. On one hand, we do acknowledge that increased competitive advantage, cost savings, expanded capacity and failover flexibility are a way too tempting at cloud computing. And, on other hand, we constantly, feed our fear and asking: Will I still have the same security policy control over my applications and services? Can I prove to my organization and my customers that I am still secure and meeting my SLAs? How can I minimize the scope of a compliance audit? Am I still compliant, and can I prove it to my auditors? To overcome our fear, let’s look at the impact of virtualization technology, which is enabling the cloud computing revolution.



Gaps and Vulnerabilities in Virtualization

Advancements in virtualization technologies enabled enterprises to get more computing power from the underutilized capacity of physical servers. The traditional datacenter footprint is shrinking to enable cost savings and “greener” IT through server consolidation. Enterprises and service providers are using virtualization to enable multi-tenant uses of what used to be single-tenant or single-purpose physical servers. Extending virtual machines to public clouds causes the

enterprise network perimeter to evaporate and the lowest-common denominator to impact the security of all. The inability of physical segregation and hardware-based security to deal with attacks between virtual machines on the same server highlights the need for mechanisms to be deployed directly on the server, or virtual machines.

At first glance, the security requirements for cloud computing providers would appear to be the same as traditional datacenters — apply a strong network security perimeter and keep the bad guys out. However, as previously stated, physical segregation and hardware-based security cannot protect against attacks between virtual machines on the same server. For cloud computing providers to gain from the efficiencies of virtualization, virtual machines from multiple organizations will need to be co-located on the same physical resources. Let’s look at some of the key concerns of ‘Cloud Security’ that enterprises are usually, worried about. Firstly, administrative access to servers and applications - it offers “self-service” access to computing power, most likely via the Internet. In traditional datacenters, administrative access to servers is controlled and restricted to direct or on premise connections. In cloud computing, this administrative access must now be conducted via the Internet, increasing exposure and risk. It is extremely important to restrict administrative access and monitor this access to maintain visibility of changes in system control. Secondly, Dynamic Virtual Machines – as we know virtual machines are dynamic, they can quickly be reverted to previous instances, paused and restarted, relatively easily. They can also be readily cloned and seamlessly moved between physical servers. This dynamic nature and potential for VM sprawl makes it difficult to achieve and maintain consistent security. Vulnerabilities or configuration errors may be unknowingly propagated. Also, it is difficult to maintain an auditable record of the security state of a virtual machine at any given point in time. In cloud computing environments, it will be necessary to be able to prove the security state of a system, regardless of its location or proximity to other, potentially insecure virtual machines. Thirdly, vulnerability exploits and VM-to-VM attacks - Cloud computing servers



use the same operating systems, enterprise and web applications as localized virtual machines and physical servers. The ability for an attacker or malware to remotely exploit vulnerabilities in these systems and applications is a significant threat to virtualized cloud computing environments. In addition, co-location of multiple virtual machines increases the attack surface and risk of VM-to-VM compromise. Intrusion detection and prevention systems need to be able to detect malicious activity at the virtual-machine level, regardless of the location of the VM within the virtualized cloud environment. Fourthly, securing dormant virtual machines - Unlike a physical machine, when a virtual machine is offline, it is still available to any application that can access the virtual machine storage over the network, and is therefore susceptible to malware infection. However, dormant or offline VMs do not have the ability to run an antimalware scan agent. Dormant virtual machines may exist not just on the hypervisor but can also be backed up or archived to other servers or storage media. In cloud computing environments, the responsibility for the protection and scanning of dormant machines rests with the cloud provider. Enterprises using cloud computing should look for cloud service providers that can secure these dormant virtual machines and maintain cohesive security in the cloud. Fifthly, performance impact - Existing content security solutions were created prior to the concept of x86 virtualization and cloud computing and were not designed to operate in cloud environments. In a cloud environment, where virtual machines from different tenants share hardware resources, concurrent full system scans can cause debilitating performance degradation on the underlying host machine. Cloud service providers providing a baseline of security for their hosting clients can address this problem by performing resource-intensive scans at the hypervisor level thereby eliminating this contention at the host level. Sixthly, data integrity: co-location, compromise and theft- Dedicated resources are expected to be more secure than shared resources. The attack surface in fully or partially shared cloud environments would be expected to be greater and cause increased risk. Enterprises need confidence and auditable proof that cloud resources are neither being tampered with nor compromised, particularly when residing on shared physical infrastructure. Operating system and application files and activities need to be monitored. Seventhly, encryption and data protection - Many regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS) and Health Insurance Portability and Accountability (HIPAA) includes requirements for the use of encryption to protect critical information—such as cardholder data and personally identifiable information (PII)—to achieve compliance or safe harbor in the event of a breach. The multitenant nature of the cloud amplifies these requirements and creates unique challenges with the accessibility and protection of encryption credentials used to ensure data protection. Eighthly, patch management - The self-service nature of cloud computing may create confusion for patch management efforts. Once an enterprises subscribes to a cloud computing resource—for example by creating a web server from templates offered by the cloud computing service provider—the patch management for that server is no longer in the hands of the cloud computing vendor, but is now the responsibility of the subscriber. Keeping in mind that according to Verizon 2013 Data Breach Investigations Report, 47000+ incidents reported. In their previous reports, it was found 90% of known


vulnerabilities that were exploited had patches available for at least six months prior to the breach, organizations leveraging cloud computing need to keep vigilant to maintain cloud resources with the most recent vendor supplied patches. If patching is impossible or unmanageable, compensating controls such as “virtual patching” need to be considered. Ninthly, policy and compliance - Enterprises are experiencing significant pressure to comply with a wide range of regulations and standards such as Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-

Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization. In

addition to auditing practices such as Statement on Auditing Standards (SAS 70) and International Organization for Standards (ISO). Enterprises need to prove compliance with security standards, regardless of the location of the systems required to be in scope of regulation, be that on premise physical servers, on premise virtual machines or off-premise virtual machines running on cloud computing resources. Tenthly, perimeter protection and zoning - In cloud computing, the enterprise perimeter evaporates and the lowest common denominator impacts the security of all. The enterprise firewall, the foundation for establishing security policy and zoning for networks, can either no longer reach cloud computing servers, or its policies are no longer in the control of the resource owner, but the responsibility of the cloud computing provider. To establish zones of trust in the cloud, the virtual machines must be self-defending, effectively moving the perimeter to the virtual machine itself. Finally, ne'er-do-well corporate resources - Eager for immediate computing resources and results, non-IT savvy individuals and groups are jumping at cloud computing. Nothing against such individuals or groups, but what they do not realize is important corporate data and applications are being deployed in the cloud, possibly unaware to the security implications.

Many organizations want the savings and efficiency benefits of cloud computing, but don’t want to sacrifice traditional levels of control and security. Security is traditionally applied at the network perimeter; this disappears in cloud-based computing, in which borderless networks connect many types of users with enterprise private data centers and cloud based resources. Some transactions, such as a remote worker accessing Salesforce.com, don’t even pass through the corporate network or scanning systems.

Borderless Network Architecture

Border-less Network architecture addresses this challenge, securing cloud computing by placing intelligent control points and endpoints throughout the network. What we need today is a consistent, enforceable, high performance security and policy regardless of where or how users access the Internet. With numerous data center locations spread around the globe. The cloud security services in a network services must include a special web-based management and monitoring interface for customers who need complete control over their gateways. How about an on-premises key server such that; it can manage envelope encryption keys for large organizations. For instance, if we consider email encryption, recipients can open the message by interacting with the key server, even though the actual message and envelope are never stored in the cloud. Let’s take


another illustration, when a roaming user accesses the Internet, all traffic is tunneled and backhauled to one or more scanning elements within the enterprise. If the content is high-volume like YouTube streaming media, where basic header and response checks show no security or acceptable use risks, the client is permitted to fetch the content directly. As a result, this increases the performance and efficiency of high-bandwidth applications. Then, question arise, how do we control it from a cloud security point of view. We can control this intelligent split passageway without

sacrificing the cloud security. We need a mobility solution that puts security filtering in the cloud, protecting the user’s choice of endpoint devices without relying on client-based anti-virus or regular OS patches as well. Here is an interesting scenario for HR folks! Who could be concerned, when a user ends employment with an organization, the enterprise security team must disable that person’s access in every SaaS account he or she used. When there are multiple SaaS applications, such as Saleforce.com and google Apps, this becomes a time-consuming and error-prone process. Users also have separate passwords for each SaaS application; forgetting these results in frequent password reset requests. To address this issue of SaaS Revocation, in which authentication to Security Assertion Markup Language (SAML)-enables SaaS applications proxy. With a single click, we can grant or revoke access for specific users or groups, for multiple applications. A single authentication server, can provide access control for SaaS applications, VPN connectivity, web proxy authentication, and more. What it supports is nothing fancy, but a corporate directory integration for many SaaS applications, with policy and access controls.

Evaluating a cloud service provider, brings out the million dollar question on its credible resources and transparency in security maintained. When a service provider is used, part of the assumption is the responsibility for security includes determining, what security the service provider offers for the underlying infrastructure. What certifications does the service provider have? Does the service provider follow any current cloud computing security standards? What level of visibility or transparency is provided into the underlying infrastructure configurations and security? While cloud vendors control certain security elements, the burden is on the enterprise to ensure that security provisions meet the business’s security requirements.

Establish Intelligence across the Cloud

Establish intelligence across the cloud – Detect Security and Compliance risk with real-time Intelligence. Early breach discovery requires effective user activity, data access and application activity monitoring. Today, cloud service providers’ have their dependency on



threat intelligence and security analytic that has driven them to adopt a mechanism to detect threats, breaches, and need to maintain compliance required to protect consumers’ interest with a higher degree of cloud security demanded in dealing with sensitive flow of data, software application set up, processing rules, standardization requirements, secured mobility solution, and third party accessibility norms. The security information and event management (SIEM) plays an important role in building the cloud security even stronger through its unique ability

to have a built in intelligence to handle things in an intuitive and diligent way. This approach, inculcated into cloud security, further acknowledges the customer's need to analyze security event data in real-time for internal and external threat management, and to collect, store, analyze and report on log data for incident response, forensics analysis and regulatory compliance.

Security Intelligence solutions have evolved from a number of technologies, we are familiar with. It builds on the data collection capabilities and compliance benefits of log management, the correlation, normalization and analysis capabilities of SIEM (security information and event management), the network visibility and advanced threat detection of NBAD (network behavior anomaly detection), the ability to reduce breaches and ensure compliance provided by risk management, and the network traffic and application content insight collected through network forensics. Why do we need network behavior anomaly? How is this going to help us in cloud security? Most security monitoring systems utilize a signature-based approach to detect threats. They generally monitor packets on the network and look for patterns in the packets which match their database of signatures representing pre-identified known security threats. NBAD-based systems are particularly helpful in detecting security threat routes in two scenarios, where signature-based systems cannot. Either it’s a new zero-day attacks or, when the threat traffic is encrypted such as the command and control channel for certain Botnets.

Attackers also perform extensive scouting of spear phishing targets and then compromise their accounts via social engineering tactics. Antagonist often exploit zero-day vulnerabilities to gain access to data, applications, systems and endpoints. Actually, they communicate over a variety of channels to infiltrate data from the targeted organization. For challengers, their canvas become even bigger with farther reach in cloud environment. In that case, we are all the more vulnerable and need to firm our security turns higher. How do we overcome it in a cloud scenario where networks are borderless and tracking down the perpetrators are even harder! We must have a security with intelligence built into it. But, how do we make this happen? To combat these and other sophisticated threats, organizations must adopt new approaches that help spot anomalies



and subtle indicators of attack. Doing so requires collecting and analyzing data from the security infrastructure and beyond—including traditional log and event data as well as network flow data, vulnerability and configuration information, identity context, threat intelligence and more. Precisely, security is becoming a big data problem.

Security intelligence is the continuous real-time collection, normalization and analysis of data generated by users, applications and infrastructure. It integrates functions that have typically been segregated in first-generation security information and event management (SIEM) solutions, including log management, security event correlation and network activity monitoring. Data collection and analysis goes well beyond traditional SIEM, with support for not only logs and events, but also network flows, user identities and activity, asset profiles and configurations, system and application vulnerabilities, and external threat intelligence within the single warehouse.

Integrated security intelligence solutions harness security-relevant information from across your organization, and use analytics and automation to provide context and helps to detect threats faster, identify vulnerabilities, prioritize risks and automate compliance activities. Well, what it does provides a security intelligence platform that applies real-time correlation and anomaly detection across a distributed and scalable repository of security information. With the help of ‘Big Data’ analytics that enables more accurate security monitoring and better visibility to travel our way into a secured cloud environment.