By Frank Konkel

With Federal CIO Steven VanRoekel called away on White House business, Deputy CIO Lisa Schlosser stepped in to talk about federal IT priorities via Skype at the ACT-IAC Management of Change 2013 conference in Cambridge, Md.

Her message, similar to those VanRoekel has delivered recently, centered on increased innovation, improved cyber and information security, a CIO Council-led effort to implement continuous monitoring in the federal space, and cost-cutting measures such as strategic sourcing and shared services.

Schlosser said the Office of Management and Budget wants agencies to move toward increased headquarters-based authorities to take advantage of commodity IT services while reducing duplication. Savings, she said, can be reinvested in mission-driven initiatives and innovation, which the government would like to incorporate in “every single thing we do.”

“That is the ideal state,” Schlosser said. “We want to move toward models where headquarter levels have authority to run commodity priorities, so they can take advantage of commodity services and find savings in commodity IT. Agencies can then use those savings to invest in better opportunities. We want to take advantage of economies of scale so we can invest more in mission capabilities.”

Schlosser also discussed the PortfolioStat initiative’s successes thus far — which include $2.5 billion in savings identified through “face-to-face, evidence-based review” of entire agency portfolios — and signaled where its next version, PortfolioStat 2.0, is headed. The revamped PortfolioStat encompasses the OMB-driven Federal Data Center Consolidation Initiative, though Schlosser said OMB’s focus has shifted from consolidation to optimization.

The shift comes after the Government Accountability Office and members of Congress criticized OMB for not tracking cost savings and relevant metrics in data center consolidation.

“We want to capitalize on virtualization, not just cost savings,” Schlosser said.

She added that first-year deliverables for the Obama administration’s Digital Government Strategy will be released soon and said officials will continue to push for continuous monitoring of federal IT systems in the next few years. The government’s efforts thus far in that arena, led by the Department of Homeland Security and the CIO Council, will be highlighted in a soon-to-be-published document.

“You’re going to see a very big focus in the next two to three years on implementing and moving government from paper-based security monitoring to a continuous monitoring model,” Schlosser said. “We must be proactive in our threat detection.”

By Tim Larkins

The federal government will spend about $10 billion on cybersecurity in fiscal  year 2013. That number could grow to $13 billion in fiscal year 2014.  For most federal agencies, cybersecurity is one hot-button issue that will not soon  disappear. Determining what to defend against will play a large role in how much  money the government must allocate toward cybersecurity.

Until  recently, most government organizations have focused on manual and periodic monitoring and reporting for security management. This strategy was primarily driven by the Federal Information Security Management Act (FISMA), which had limited effectiveness in securing data despite the expense and efforts. Recent regulations now require federal agencies to implement continuous monitoring of
their network operations. Periodic reports and certifications are not only expensive, but most evidence suggests that they do not improve an organization’s security posture.

Investing in continuous monitoring is an important step for government organizations, as hackers and hostile nations pose an increasing threat to the integrity of the United States’ critical infrastructure.

An emerging concern for government is the use of mobile devices and applications. “Bring your own device” strategies that have been implemented in various institutions have led to increased productivity but can also lead to increased security vulnerabilities.

As the use of mobile devices and the purchase of mobile applications grow in the coming years, hackers will alter apps that are considered safe and retool them with malicious code so unsuspecting users download them without hesitation. Additionally, malware authors have developed viruses and programs that can automatically purchase applications from an app store without the user’s permission or
knowledge.

Botnets are another threat to government and corporate networks. A botnet is a computer that has been breached by a third party and is monitored and controlled from a remote location. An employee’s personal computer or laptop at work could be a botnet without him or her even knowing it. Most organizations with mature cybersecurity protocols can easily identify a botnet on their networks, and can quickly disable it and recover any lost data. However, “botmasters” will become more persistent and sophisticated, and will develop new techniques to reestablish control of botnets and continue to infect
networks even after they are disabled.Also on the rise is hacktivism, or attacks related to political or social purposes by activist organizations.

Groups such as Anonymous have failed to develop more complex tactics and can now largely be countered. But terrorist organizations and nation states will develop more elaborate malware, worms and viruses that are not only capable of shutting down websites or revealing sensitive information, but also able to control machinery and entire buildings as well.

Moreover, recent reports have linked the Chinese government with hacktivist groups that create advanced persistent threats that infect and hide inside U.S. networks. These perils are evident in the Duqu, Flame and Stuxnet attacks.

Search engine optimization poisoning is another possible weapon. SEO is used by websites to improve online traffic to their sites. When a search is run on an engine such as Yahoo or Google, the results that wind up at the top have the highest SEO.

Hackers use SEO poisoning to infect users through websites that are designed to look like credible sites. When the malicious site is unknowingly clicked on, the user’s computer may be infected with malware.  For years, cybercriminals have crippled a user’s ability to securely search the web, but attacks will become more prevalent. Attackers will use more automated and complex methods to exploit
the most popular keywords or news stories of the day.

To combat these threats, federal agencies are investing in products related to information assurance, information security and network operations. The Defense Department has spent nearly $9 billion over the past five years on these products and services alone.

Hundreds of funded programs and contract vehicles have emerged to address cybersecurity. The Department of Homeland Security issued a request for quotes in December 2012 for a blanket purchase agreement that will acquire continuous diagnostic and mitigation tools and continuous monitoring services. The deal will be worth $6 billion over five years and will acquire products and services related to vulnerability management, configuration management and software and hardware asset management.

The DHS contract is just one of many vehicles that will be employed by the federal government.

The Defense Department’s preferred acquisition method is large multi-agency contracts, with nearly $4 billion in cybersecurity related purchases taking place over the last five years.

The Pentagon also spent billions of dollars across a number of indefinite delivery/indefinite quantity contracts, enterprise license and blanket purchase agreements related to cybersecurity.
These include contracts awarded under the Air Force’s network centric solutions, the Army’s computer hardware, enterprise software and solutions and the Defense Department’s enterprise software initiative.

Additionally, agencies like the Defense Advanced Research Projects Agency (DARPA) are aiming to improve the government’s cybersecurity posture by leveraging small businesses and individuals rather than relying on traditional vehicles and programs.

For example, DARPA’s cyber fast track initiative is intended to shorten the time it takes to deploy new technologies by funding research performed by small businesses. DARPA funds research efforts by boutique security companies and individuals, and allows them to keep the intellectual property. These organizations could not pursue these efforts on their own because of the complexity, cost and time. And although DARPA announced that Cyber Fast Track will be ending in April, the agency has no shortage of funding to promote such programs.

DARPA, along with the Defense Information Systems Agency and the National Security Agency, spent upwards of $1.5 billion last year on cybersecurity products and services. The majority of these funds have been directed at traditional information-systems security programs that focus on protecting mission critical applications, data and networks.

Industry has recently witnessed several trends emerging in the defense sector, including an increase in the procurement of technology that enables tactical communication, interoperability and onsolidation. Cloud and mobile solutions have seen an uptick in government buyers recently, but these technologies contain inherent security risks. Information-technology investments over the past year reflect these trends and needs, and agencies are recognizing and preparing for those risks.

Budgetary worries are another concern. A debilitating sequestration and continuing uncertainty about future funding put federal budgets in a choke hold and have left program management offices and
contract offices reluctant to spend.

Regardless of the budgetary environment, agencies must still protect mission-critical data and systems.

Defense agencies must still invest in products and services that encourage tactical communication, interoperability and consolidation. Despite wide and sweeping budget cuts across the government, the Defense Department did request $3.4 billion in cybersecurity funding for 2013 — a near 6 percent increase from 2012. The Defense Department is pursuing nearly 2,500 efforts related to cybersecurity.

Ten programs alone represent more than $6.6 billion in 2013:

• DISA – Defense Enterprise Computing Centers
• DISA – Global Command and Control System
• Army – Warfighter Information Network – Tactical
• Army – Network Enterprise Technology Command
• Navy – Consolidated Afloat Networks Enterprise Service
• Navy – Next Generation Enterprise Network
• Air Force – Base Level Communications Infrastructure

• Air Force – Air and Space Operations Center

• Medical Health System – Electronic Health Record Way Ahead
• Medical Health System – MHS Cyberinfrastructure Services

Some analysts have estimated cybersecurity market growth in the defense sector of nearly 10 percent over the next five years. Given the increasingly stringent budget environment, a more tepid growth
is likely. But even with the most modest of projections, cybersecurity spending by the federal government is expected to surpass $14 billion by 2017.

Tim Larkins is a consultant for market intelligence at immixGroup Inc.

House Panel Places Few Limits on How Money Could Be Spent

By Eric Chabrow

A House Appropriations Committee bill would give the Department of Homeland Security $24 million less for cybersecurity than President Obama seeks. But it would provide the administration lots of flexibility in how to spend the money.

The legislation, which cleared the panel May 16 and goes to the full House, would earmark $786 million for cybersecurity operations in fiscal year 2014, which begins Oct. 1. This figure represents a 4 percent increase over current spending levels and includes nearly $200 million for a federal network security program housed at DHS. That initiative is aimed to assist other agencies in providing adequate, risk-based and cost-effective cybersecurity, which includes the acquisition and operation of continuous monitoring and diagnostic software.

“At a time when many committees on the Hill are trying to insert themselves into cybersecurity, it’s noteworthy that Appropriations did not offer much in the way of explicit instructions, guidance or reporting requirements for cybersecurity policy,” says Allan Friedman, research director at the Center for Technology Innovation at the Brookings Institution, a Washington think tank.

Hands-Off Approach

The complexity of implementing information security initiatives is the major reason appropriators are taking a relatively hands-off approach on how to spend money on cybersecurity. “Nobody is really sure on how to restrict it,” says former Federal Chief Information Officer Karen Evans.

Evans says the panel’s bill likely includes less money for cybersecurity than the president requests because DHS isn’t expected to spend all of its cybersecurity appropriation for the current fiscal year. House appropriators also may believe that DHS might not be able to spend the extra $30 million by the end of the next fiscal year. For instance, Evans says, DHS might fall short in hiring the number of cybersecurity experts it plans to employ by Sept. 30, 2014, the end of the next fiscal year.

Read Complete Article

by Kyra (Kozemchak) Fussell

The cybersecurity challenge on college campuses lies as much with the students as with malicious outsiders.

David F. Carr

When a faculty member at Miami University in Oxford, Ohio, logged in to the university’s grade book last fall, she realized something was wrong: The grades in the online system didn’t match her paper records. She was alert enough to see this was no mere glitch.

In March, after months of investigation, police charged two students with hacking the system to inflate grades. Police maintain that Beckley Parker, 21, of Weston, Conn., had changed his own grades for 17 classes since the spring of 2011, and also changed grades for 50 other students, according to the Dayton Daily News. David Callahan, 22, of Cambridge, Mass., reportedly changed his own grade once and two other students’ grades. Although the facts are subject to interpretation, it seems the two were either trying to help fraternity brothers or other friends at the same time they were improving their own grades, or they may have been trying to cover their tracks by changing more than one grade in each case.

All it took for them to make the changes was an inexpensive keylogger device, inserted between the keyboard and the computer it was attached to, which allowed them to record the actions of teachers entering their passwords for the grading system. They were then able to access the system at will.

After cooperating with investigators, the students avoided being charged with a felony, instead accepting dismissal from the university and pleading guilty to multiple counts of “attempted unauthorized use of property,” a misdemeanor.

Miami University’s information security officer, Joe Bazeley, says an attack on the university’s learning and grading systems is actually worse than the sort of attacks, namely information theft and exposure, that used to keep him up at night before the keylogger incident. “We produce knowledge and identify that via grades and a diploma,” Bazeley says. The grade book hack “challenges the integrity of those grades and diplomas,” he says.

Learn From The Hacks

Unfortunately, examples abound in higher education of the other kind of security breach.

An undergraduate at the University of Nebraska last year was able to break into a database associated with the university’s PeopleSoft system, exposing Social Security numbers and other sensitive information on about 654,000 students, alumni and employees. According to our sister website Dark Reading, the university was lucky enough to detect the breach and shut it down quickly. An IT staffer picked up on an error message that seemed like evidence of something amiss, and a recently installed security information and event management system helped network managers sort through system logs and collect enough evidence to allow police to get a warrant to confiscate the computer of the student believed to have been behind the attack.

In March, Salem State University in Massachusetts alerted 25,000 current and former students and staff that their Social Security numbers may have been compromised in a database breach. If the pattern of the last few years repeats itself, expect higher education institutions to experience another half dozen major security breaches by the end of 2013.

By William Jackson

Leo Scanlon, chief information security officer of the National Archives and Records Administration, has an information security question for federal CIOs: “Are you satisfied that where you are is good enough? Do you understand the risk?”

Too often, he says, federal C-level officials do not know if their security is adequate because they do not understand the risks they face and what the risk tolerance of their agencies should be. And too often, they are content to remain that way.

The issue of understanding and managing IT risk takes on greater significance with the growing emphasis on automating security. Security professionals, system administrators and agency executives have been fighting a battle over IT security vs. regulatory compliance since the passage of the Federal Information Security Management Act of 2002. Critics of the act — or at least of how it has been implemented — say that an emphasis on grading agency performance based on compliance scores has undermined efforts to improve security. With the introduction of tools to monitor systems, respond to incidents and report on status, there is a chance to finally settle the battle in favor of security.

The question, said Scanlon, is “are we going to automate compliance or automate risk management?”

Speaking at cybersecurity conference hosted by (ISC)2, Scanlon said that FISMA was never intended to be about compliance. The opening paragraphs of the act spell out that its intent is to “provide a comprehensive framework for ensuring the effectiveness of information security controls,” and “. . . provide effective governmentwide management and oversight of the related information security risks . . . .”

So why the emphasis on paperwork and reporting rather than managing risk over the last 11 years? Compliance is easier to measure. Reports from auditors and inspectors general have given congressional overseers an easy way to grade agencies, either with an A, B . . . F report card or a green-yellow-red dashboard.

The C-level executives who must report to Congress have embraced this. Their approach to IT security, Scanlon said, is, “get the IG off my back.”

Al Seifert, CEO of MSB Cybersecurity and formerly security officer for the Defense Department’s Global Command and Control System, called FISMA a “noble endeavor” that has not fulfilled its promise.

“We are not collecting the metrics we need to ensure that our security is working,” he said. “Everybody fears the auditor.”

Security automation still is rudimentary and focused on compliance reporting, Seifert said. But the technology exists to do better. The Homeland Security Department’s Cyberscope reporting system and the growing list of commercial tools that support the Security Content Automation Protocol make it possible to focus on real risk rather than merely playing the compliance game.

Read Complete Article

By: Fran Howarth

Every year, I search for a common theme at Infosec Europe, but this year it was not so immediately obvious. There were no large clouds hanging above the exhibition hall and many of the largest vendors were absent, their places taken by innovative start-ups.

Yet, under the covers, there were two major themes that many of the vendors that I spoke to talked about—APTs (Advanced Persistant Threats) and the need for continuous monitoring. In fact, these two things go hand in hand.

First, we need to be clear what an APT is, and what it is not. What it is not is a super virus. That is not what the ‘A’, or advanced, in APT refers to. Whilst it is true that the word advanced does apply in terms of the use of a blended threat with many moving parts, it is rather better applied to those groups with advanced capabilities that are behind such exploits, which is being seen in ever larger numbers. And it is not only government agencies, defence contractors or large organisations with significant volumes of sensitive information that need to be worried. Rather, many victims of such attacks are not the final target, but rather the conduit into a larger organisation such as a business partner that they supply to. Anyone can be a victim.

The actors behind APTs tend to be highly organised, with significant resources at their disposal that rival those of many sizeable organisations. Cybersecurity firm Mandiant recently published a report regarding the resources and modus operandi of a group that it calls APT1, which is just one of more than 20 APT groups that it knows of with their origins in China. It states that the APT1 organisation has been conducting a cyber espionage campaign since 2006 in which nearly 150 organisations have been targeted, spanning 20 different industries. APT1 has a well-established attack methodology that has been refined over the years and which is designed to steal large volumes of intellectual property from targeted organisations. According to Mandiant, it is staffed by hundreds, if not thousands, of operators, with staff required to be proficient in IT security, computer network operations and English. Its widespread presence can be seen in the fact that it has established a minimum of 937 command and control servers hosted on 849 distinct IP addresses in 13 countries.

The ‘P’ in APT refers to persistent as criminal organisations behind APTs look to establish and maintain a presence on the networks they target, attempting to hide their tracks to avoid being detected. On average, APT1 maintains access to victim networks for 365 days, although the longest period of time that has been observed was four years and ten months. Many of its attacks successfully stole large volumes of intellectual property. From Mandiant’s observations, just one organisation alone suffered the loss of 6.5 terabytes of compressed data over a ten-month period. The sort of information that has been taken in such attacks includes technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from executives at the victim organisations.

Shortly after Infosec, I discussed issues surrounding APTs with Adrian Culley, global technical consultant for technology vendor Damballa and formerly a detective in the computer crime division of Scotland Yard. Culley states that APTs are not a new phenomenon, but have actually been around since 1993, when the number of personal computers in use began to soar and the first networks other than those designed for academia or the ARPANET network came into widespread use. He states that nation states and criminal organisations around the world are seriously studying, if not investing heavily in APT techniques.

So how do organisations respond to the threat? There are only three states in which data can exist—data can be at rest, where it is in storage; it can be in use, where it is active and can be constantly changed; and it can be in motion, which is data that is moving around a network. Forensics around data at rest is used to look for patterns in stored data that aim to retrace paths to see how something occurred, but criminals deploying APTs are well versed in forensic techniques and go to a lot of trouble to cover their tracks so that they cannot be traced. Investigating data in use is tricky owing to the constant changes made and is difficult to track at enterprise scale.

So that only leaves data in motion, which is easier to track as all communications can be intercepted. APTs are characterised by their need to ‘phone home’ to a command and control centre housed on a server. Therefore, it makes sense to continuously monitor all network communications in real time, looking for all violations of policy, such as when an advanced threat is trying to phone home, and to block all such exploits as they occur. Culley likens such capabilities to a fire sprinkler system for the network, whereby a sprinkler is deployed for each node in the network, putting out fires locally as they occur.

Proactive capabilities such as continuous monitoring will greatly add to an organisation’s detection capabilities, using techniques such as behavioural profiling that can detect more advanced threats that those using signatures for known threats alone. According to Culley, APTs represent a paradigm shift in the way we need to view security. These advanced attacks and the new threat vectors, such as mobile device usage and ever-more interactive web applications, mean that security controls placed at the perimeter based on static rule sets are no longer sufficient as sophisticated attackers will go out of their way to circumvent such controls. Rather, we need to be looking at everything that is moving around the network, actively looking for anything that constitutes abnormal behaviour to prevent APTs from communicating out and stealing valuable information.

By Joe Fantuzzi & Torsten George

Regulations and mandates — whether they’re from government or industry — are important aspects of ensuring security within organizations. However, there is more to the battle to lock down information in a Big Data world. Compliance should play a supporting role within a framework driven by risk assessment, continuous monitoring, and closed-loop remediation.

Mushrooming industry and government mandates that govern IT security have led to a highly regulated environment and annual compliance fire drills. Compliance, however, does not necessarily equal better security.

We are reminded of this fact nearly every day when breaches make headlines. So what role should compliance and risk management play within an enterprise’s overall security equation?

The Downside of Compliance

Organizations that pursue a check-box mentality as part of a compliance-driven approach to security only achieve point-in-time compliance rather than improving the company’s security posture, which is dynamic and changes over time. This has been proven time and again.

Recently, progressive enterprises have begun to pursue a more proactive, risk-based approach to security. The goal in a risk-based model is to maximize the efficiency of an organization’s IT security operations and provide visibility into risk and compliance posture. The holy grail is to remain in compliance, reduce risk, and harden security on a continuous basis.

A number of factors are causing businesses to rethink the check-box approach to security and move toward a risk-based model. These include:

• Federal Information Security Management Act (FISMA) of 2002.

• Federal Risk and Authorization Management Program (FedRAMP).

• Securities and Exchange Commission (SEC) Cyber Guidance.

• Emerging Cyber Legislation (e.g., Cyber Intelligence Sharing and Protection Act).

• Presidential Executive Order on Cyber Security.

• The Council of Europe Convention on Cybercrime.

We are reminded of this fact nearly every day when breaches make headlines. So what role should compliance and risk management play within an enterprise’s overall security equation?

The Role of IT Security

It is commonly believed that vulnerability management will minimize the risk of a data breach. However, without placing vulnerabilities into the context of the risk associated with them, organizations can misalign their remediation resources. Often they overlook the most critical risks while only addressing “low-hanging fruit”.

This is not only a waste of money, but more importantly, it creates a longer window of opportunity for hackers to exploit critical vulnerabilities. The ultimate goal is to shorten the window attackers have to exploit a software flaw. Therefore, vulnerability management must be supplemented by a holistic, risk-based approach to security, which considers factors such as threats, reachability, the organization’s compliance posture, and business impact.

If the threat cannot reach the vulnerability, the associated risk is either reduced or eliminated.

Risk and Compliance: Security Bedfellows

An organization’s compliance posture can play an essential role to IT security by identifying compensating controls that can be used to prevent threats from reaching their target.

According to the Verizon 2012 Data Breach Investigations Report, 97 percent of the 855 incidents reported in 2011 were avoidable through simple or intermediate controls. However, business impact is a critical factor in determining actual risk. For example, vulnerabilities that threaten critical business assets represent a far higher risk than those that are associated with less critical targets.

Since compliance posture is typically not tied to the business criticality of assets, it does not enable an organization to prioritize remediation efforts. A risk-driven approach, which addresses both security posture/compliance and business impact, can increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making.

There are three main components to implementing a risk-based approach to security.

Continuous Compliance

Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation.

With continuous compliance, organizations can reduce overlap by leveraging a common control framework to increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75 percent.

Continuous Monitoring

Continuous monitoring implies an increased frequency of data assessments and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners.

In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.

Closed-Loop Remediation

Closed-loop, risk-based remediation leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement.

By establishing a continuous review loop of existing assets, people, processes, potential risks and possible threats, organizations can dramatically increase operational efficiency while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time-to-resolution, investment in security operations personnel, purchases of additional security tools).

Conclusion

Compliance mandates were never designed to drive the IT security bus. They should play a supporting role within a dynamic security framework that is driven by risk assessment, continuous monitoring, and closed-loop remediation.

Joe Fantuzzi is president and CEO of integrated risk management vendor Agilance. Torsten George is the company’s chief product strategist.

Brian McKenna

Barclays has turned to machine data indexing Splunk technology to deal with the demands of the more complex regulatory banking environment created following the financial crises of the 2008 and aftermath.

Stephen Gailey is EMEA director of financial services at Splunk. He joined from Barclays, where he was group head of security services.

Monitoring the logs from security technologies, such as intrusion detection systems, is, confirmed Gailey, one of the 15 or so uses for the technology either in practice at Barclays or under consideration.

The bank generates a least two petabytes of data every day, Gailey discovered, so it has a lot of machine data to index.

His group first engaged with Splunk in 2010, eventually signing a licence deal for 2TB per day. Up until then, the bank had used a security information and event management system from Intellitactics, acquired by Trustwave in 2010.

“We were running into the limitations of the technology,” Gailey said. “It would not scale, and the regulators are asking for increasingly detailed reports on the [machine] data collected. We found that the SIM [security information management] was poor at asking complex questions, so we tried running a log management system, from LogLogic, alongside it”.

Gailey and his team decided to cast this system aside in favour of Splunk, despite having secured senior management investment for it.

“That felt like a brave decision, but if I hadn’t done that I would have been in a difficult position a year on. The hard part was convincing the retail bank to join in with the investment side,” Gailey said.. But they were convinced.

The original security use case of the technology generating alerts for what was Gailey’s team is still in operation. But it is also being used to provide analytics for the more general operation of security controls. “It is the single plane of glass that tells us about the risk status in the bank, across many point solutions, dealing with internal and external threats,” Gailey said.

The technology is also either in use or under consideration at the bank for high performance computing, used in calculating risk, and high speed trading.

On the retail side of Barclays, Splunk is used in the architecture for Pingit, the bank’s mobile app.

Gailey said the technology has proved itself a good return on investment. Its deployment was offset as a cost, in part, by not buying the log management system and decommissioning standalone SIM technologies. But there was an operational benefit, too, he said, in that the Splunk technology automatically provides context around alerts that would previously had required lengthier investigation. And it meant saving on training.

“We would only have to avoid one fine for it to pay for itself, since such fines are in the millions of dollars. It has made compliance much easier,” Gailey said. One example of that was a Monetary Audit of Singapore [MAS] audit. Having the privileged access logs in Splunk made that easier, he said.

Summary: How do large data volumes and increased automation change the role of the security analyst? Find out in our next GigaOM Research live analyst webinar, sponsored by Click Security. This free webinar takes place on May 14, 2013, at 10 a.m. PT.

Edge-based intrusion prevention and security information and event management (SIEM) are failing to meet the demands of faster and more sophisticated threats, and a new generation of analytic tools have evolved to meet those challenges. These tools have the power to reshape the security dynamic, but they may require you to rethink your infrastructure, staffing and policies.

Where can human analysis and augmentation provide the greatest benefit? How should businesses recruit and train security staff to best handle the new realities? Or should you outsource to an MSSP?

For a discussion about these and other questions related to security analysis, join GigaOM Research and our sponsor Click Security for “The data-driven security analyst,” a free analyst webinar on Tuesday, May 14, 2013, at 10 a.m. PT.

Our experts will address these questions:

• Security analytics: truly proactive or just faster forensics?
• The benefits and limitations of automation
• The new security toolkit
• The new security analyst: policeman or investigator?
• How to hire for or cultivate the new security skill set

Speakers include:

• Cormac Foster, research director, GigaOM Research
• Salvatore D’Agostino, CEO, IDmachines
• Bob Gourley, editor, CTOvision.com
• Brian Smith, CTO and founder, Click Security

Register here to claim your spot in this May 14 webinar.