Government security workers are struggling with big data.
As they try to protect their networks and valuable data assets from an evolving and varied group of malicious actors, public-sector security workers say their efforts are slowed by an incomplete picture of their infrastructure, and that they often only detect threats after they have been inside the enterprise for some time.
Those are among the new findings of a study from the government IT consortium MeriTalk, underwritten by Splunk, a vendor that provides big-data analytics security technology.
[ Related: Network Security Needs Big Data ]
In that poll of just over 300 government security workers at the federal, state and local levels, respondents indicate that, on average, a threat will exist within their networks for 16 days before being detected.
And that might understate the case, says Adam Cohn, director of public policy and government affairs at Splunk, who cites other estimates that threats can go undetected for far longer.
"It's possible it may be more optimistic than the reality," Cohn said in an interview.
Data analytics could improve threat detection
There is, of course, no such thing as perfect security, and when the survey asked about "threats," it was using the term broadly, indicating that there is likely a wide range in the nature and severity of the issues the respondents face.
Nevertheless, even the new poll suggests an unacceptable lag time between when malicious actors infiltrate a system and when they are typically discovered, which only then sets in motion the process of trying to close the vulnerability and assess and mitigate the damage.
"I think it does show that these attackers are getting into systems and staying there for longer than these government agencies would like," Cohn says.
The survey finds that there is a broad recognition among government workers that they could shore up their enterprise by making better use of data from across their networks, with 86 percent saying that improved analytics could help their organization significantly improve their security posture.
More specifically, large segments of respondents say that with better big data analytics in hand, they could more effectively detect breaches as they occur, monitor data streams in real time, and perform better post hoc analyses of the causes of a breach.
But there's a disconnect. Just 28 percent say that they are using big data to bolster security, and only one in three say that it's a priority within their organization.
"One possibility is that they just have a number of competing priorities, right now," Cohn says.
"Government agencies are operating in a challenging environment where they have budget constraints, and they face a very tough threat environment."
As much as Splunk evangelizes for a big-data analytics platform to help address security issues, Cohn notes that that approach is only one element of the "multi-faceted" framework that government agencies should adopt when evaluating their security posture.
But as more devices and applications are admitted into the network, data production has soared, and it's small wonder that 68 percent of respondents say that their organization is overwhelmed by that volume, and 78 percent say that at least some of the data goes unanalyzed, either because of a lack of resources or because workers don't have the requisite skills to conduct the analysis.
"Government organizations have right now access to a wealth of cybersecurity-related information," Cohn says. "The challenge is harnessing the data and connecting the dots in real time."
That gets to a larger issue within the agency. Too often, security pros say they are playing catch-up, that the attackers are always a step ahead: 76 percent of respondents describe their security teams as reactive, rather than proactive.
However, 92 percent say that they are working to improve their security posture. Of those, 65 percent say they are investing in technology, and 51 percent say they are deploying a solution to address network analysis and visibility. Half of the respondents say that they are investing in training for their current security team, but just 31 percent say they are hiring additional staff.
Proactive approach to security involves shift from traditional concepts
Cohn argues that Splunk's concept of shifting away from traditional perimeter defenses and reorienting security around a real-time data analysis can help agencies achieve a more proactive approach to security, though he acknowledges that that transition also entails a cultural shift within government IT circles.
"What we're talking about is not just adopting a technology but basically adopting a new mindset or big-picture approach. If instead of relying just on conventional technologies, you are basically putting a big data analytics platform at the center of what you're doing ... then you can harness that data from a comprehensive point of view and use it to drive security improvements, so basically it's a data-focused security approach," Cohn says.
"They're able to detect things much more quickly, they're able to remediate things much more quickly, so that puts them in the driver's seat," he adds.