New Group Seeks Dialogue On Security Data Sharing, Mining

Open Security Intelligence community champions methods for harvesting security information
SAN FRANCISCO -- B-Sides San Francisco 2011 -- Most enterprises already have more than enough security data. The question is how to efficiently mine that data to find the source of a hack or build a better data defense strategy.

That's the premise behind the launch of a new security community, Open Security Intelligence, here yesterday. The open, online community, founded by security information and event management (SIEM) tool vendor SenSage, hopes to become a nexus for security managers to share best practices in making better use of the data collected by security and log management tools.

"Organizations could use the same tools that they currently use for the mining of business data to mine their security data," said Joe Gottlieb, CEO of SenSage. "We believe that SQL could become the new universal security signature language."

"There is a massive disconnect between vendors and users about how to work with security data," said Andrew Hay, an analyst with the 451 Group. "Some vendors say they are open, but what they're doing is some give and mostly take. That's not open."

The OSI community is a place where security professionals can go to share best practices in harvesting security data from log files and security systems, Gottlieb said. When an enterprise finds an effective way to query security data and get real results, it would be able to post that query to the OSI community, enabling other security professionals to use it as well.

The community also hopes to foster the evolution of SIEM and log management tools, which have been used for a decade but often still do not yield the benefits that many enterprises had hoped.

"If you look at Delta Airlines, they have a sophisticated process for setting ticket prices that is based on intelligence they've gathered about what customers are willing to pay at a specific time of day on a specific route," Gottlieb said. "They're making intelligent decisions using a whole warehouse of available data. We can apply that same concept and technology to security."

Some large, national defense departments already are using data mining tools and SQL to create a common method of querying security data and identifying exploit patterns, Gottlieb said. "It's already being done," he says. "The OSI community will give companies a chance to share those practices and intelligence."

The OSI community is designed to help security professionals who spend a great deal of time in data analysis, Gottlieb said. SenSage believes that these highly skilled data analysts -- sometimes called "quants" in the business intelligence arena -- are becoming increasingly needed in the security department.

"Organizations must understand where they are most vulnerable, where they have been hacked, and why," Hay said. "The [OSI] initiative is an innovative way to help organizations everywhere improve the process of mining security data to find the right information."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading