2012年3月份,Gartner发表过一篇报告——Information Security Is Becoming a Big Data Analytics Problem 。里面主要就讲到了针对大规模安全信息的关联、分析和挖掘。在Gartner看来,BDA改变的不仅是SIEM,包括了所有的安全技术,成为了下一代安全技术的关键特性。
Gartner将BDA放置到了HypeCycle的期望顶峰。
我之前将BDA在网络安全领域的用例分为了:安全事件管理、APT检测、到0day/恶意代码分析、网络取证分析,到网络异常流量检测、安全情报分析、用户行为分析。
我们可以也看看Gartner列举的use case:
- Building more accurate models and heuristics of malware and malicious activity based on broad visibility and having more computing power to perform the analysis (恶意代码分析)
- Community-based malware detection.
- Real-time ‘reputation services’ that correlate information across multiple logical entities simultaneously – for example, IP addresses, user identities, URLs, email and file objects. (声誉服务)
- Massively parallel static analysis of source code and binaries looking for vulnerabilities (代码安全分析)
- Correlation of threat data across multiple enterprises. (威胁检测)
- Security policies that roam with the user as they move among networks we don’t own or control.
- Inter-platform correlation of data within next-generation security platforms (not Security Information and Event Management –. SIEMs are more generic in nature).
- Seeking patterns of abnormal behavior from volumes of data from monitored transactions.(异常行为分析)
BDA具有其普适性的特点和技术特征,当应用到网络安全领域的时候,还必须考虑到安全数据自身的特点和安全分析的目标,这样BDA的应用才更有价值。例如,我们进行异常行为分析,或者恶意代码分析和APT***分析的时候,那个分析模型很重要。然后,才是考虑如何利用BDA技术(例如并行计算、实时计算、分布式计算)来实现这个分析模型。
【参考】