Massive security breaches, like the Target breach last December, and the infamous TJX breach in 2007, have something conspicuously in common: The data that would have enabled the companies to detect those breaches existed in their environments, and proper data analysis would have found them. The reason companies aren’t finding such breaches earlier is that they lack the data analytics talent necessary to do so.
I came away with that understanding from a recent interview with Alex Moss, a veteran IT security expert and managing partner at Conventus, an information security consulting firm in Chicago. The next generation of IT security pros, Moss says, will be data analysts.
Moss encapsulated the crux of the situation this way:
One of the things we’re seeing, and that people are finally acknowledging, is that we’re experiencing a gap in talent right now. The skills that are coming out of schools, that we need in the security space—in IT as a whole, but in particular in IT security—are inadequate. The focus needs to be on Big Data—and I’m using that term in spite of its overuse—not just in security, but across all of IT, to analyze and take advantage of the data that we have available to us. We absolutely do not have the talent.
Moss explained that hackers are increasingly targeting user accounts, and he said today’s security tools aren’t capable of alerting companies to those intrusions:
What it requires is a data analyst. All of this data would exist—it’s going to exist in the logs when the user logs on to his computer, when he logs in remotely, when he accesses a data store, when he logs in to an individual application. There are all of these touch points, and all of this data that’s being generated. The concept of SIEM [security information and event management], this automatic magic box that was supposed to do all this correlation work for us—it never really delivered. It was an empty promise for a lot of us, and we resorted to just simple log aggregation to meet compliance requirements, and we haven’t done a lot with the data. … With respect to talent, what we’re going to need as security evolves are people who are analytical in nature, as opposed to technical in nature. We’ll always need the technical people—I’m a technical guy, and always have been. When we started getting into this and looking at it, for me it started with the failure of SIEM, and the frustration our customers felt when we were trying to implement SIEM. It didn’t deliver what they had been promised, or what they expected, or some combination thereof.
The Target and TJX cases, Moss pointed out, are perfect examples of how essential it is to acquire the data analytics talent to identify intrusions before it’s too late:
In the Target case, someone came out and said they alerted Target that they had an issue—it was supposedly the smoking gun. What they don’t say is how many other alerts that went along with that. They said, “We told them this was an issue on this day, at this time.” What they don’t say is, “Oh, we also told them 800 other things that day.” I’m sure there was zero business context around that alert. We don’t know that, and I don’t know that we ever will. But I don’t think we’ve seen a smoking gun, because I don’t think there was one. In the TJX example years before, they went back to the logs and said, “Here’s what happened.” In almost every example that we’ve ever seen, the data existed in the environment to indicate what had happened. There were footprints. What we’re not doing is we’re not teaching people how to find those footprints, before it’s too late. Some of our customers do have people with those skill sets, and they’re extraordinarily good at what they do. But they’re a different breed of person. They’re not someone who grew up wanting to be a security engineer. They are truly data analysts. But there’s going to be a serious gap in the data analysis market. And I wish I was a data analyst. If I could send my kids to college for one thing, it would be to be a data analyst, because they’re going to make a lot of money in the next five to 10 years.