HD Moore has been quoted extensively in an article called “3 Inconvenient Truths About Big Data In Security Analysis“. I found it interesting although not quite on target. Here is a possible dose of reality for his three inconveniences. I’ve kept his paragraph headers the same for clarity:

1. “Big Data Isn’t Magic”

HD tells us:

“People say if you have all of your data in one place, you’ll magically get the security benefit. That’s not true,” he says.

You know what else I bet is not true? That someone actually said “you’ll magically get the security benefit”. Sounds like HD had to prop up a straw-man argument in order to show us a knock-out argument.

Aside from that logical fallacy, I’ll discuss his more subtle point hiding behind the straw-man. Sales people are prone to making exaggerated claims.

HD is right. Finding meaningful insight in data is called a “science” for a reason. The complexity was highlighted recently at a presentation by SriSatish Ambati of 0xdata of an “open source math and prediction engine”. The presentation was called “Data Science is NOT Rocket Science” and about five minutes into the presentation a heckler in the audience yelled out “What was the title of this talk? I feel like I’m about to launch a rocket.”

Clearly even very intelligent and well-intentioned people are prone to overstate speed of value and ease of working with Big Data. However, this is where I disagree with HD. People are trying to market Big Data as easier than it is because they may actually believe it is NOT magic. Have you ever had a math professor say the subject is easy? They are not telling you it is magic.

To put this in perspective of other areas of science, Einstein was one of the biggest proponents of creativity and simplicity.

I know quite certainly that I myself have no special talent; curiosity, obsession and dogged endurance, combined with self-criticism have brought me to my ideas.

So if you are a company trying to sell Big Data, you are in the business of selling simplicity out of complexity. Perhaps if someone does not believe in science they would think they are being sold magic. Einstein’s point, that a transformation from the complex to simple requires an investment, is pretty-much the opposite of magic.

Should everyone really have to understand how results were achieved for our results to have value? I say no. Results have to be scientific, something that can be verified independently; I don’t think being unfamiliar with science means magic is the only other option.

HD himself reveals this when he calls for investment.

“So just be careful about where you invest, and make sure that if you are investing in a data analytics tool, you at least have one body sitting in front of it and you’re investing just as much in people as you are in the process,” he says.

At least one body? I disagree with that principle. It’s too vague to have meaning. What is that person doing? Robert Pirsig’s Zen and Art of Motorcycle Maintenance explores this dilemma at length but to put it briefly, some pay BMW a lot of money because they really have no idea how to build a motorcycle of their own. This does not mean they dedicate at least one body. They hire a mechanic as necessary, on demand.

So if HD had said make sure you have at least one person riding a motorcycle, ok fine I agree. Instead he seems to be saying make sure you have at least one mechanic on every motorcycle along with you as you ride it…

I do not disagree with a premise that you should invest wisely in people and process and technology to get the most benefit. Rather, I disagree that everyone has to peel back the covers on everything all the time (they instead can invest fractionally in someone else to do that for them) and…I also would like to see at least one example of someone who actually says Big Data is magic.

2. “Putting All Our Eggs In One Rickety Basket”

HD has a very good point here and takes it too far. This is the usual security professional lament to management: please verify that you can trust an environment. Put as a question: why and how should we trust any Big Data “basket”?

“We see a lot of stuff in development around big data toolkits — things like Mongo and Cassandra — and there’s not a lot of security built into these tools,” he says. For example, MongoDB doesn’t support SSL by default, and there isn’t the same level of security offered in similar tools as more established traditional relational databases. “It’s actually pretty frightening how insecure these tools are by default, yet they’re becoming the back-end for most of the big data services being sold today.”

Not frightening. Expected. New technology is often developed with priorities higher than security. Who is really surprised to read “stuff in development” and “not a lot of security built into” within the same sentence. What is frightening is that people would use this new technology without considering the risks. To put it more clearly we can see Hadoop continue to gain popularity, despite missing familiar controls such as communication encryption, as we leverage broader risk management strategies.

“You’re making these really juicy targets for someone to go after. Everyone kind of cringes when we look at some of those big password breaches in the past, but that’s nothing compared to a multiterabyte data leak.”

Telling executive management at some organizations that they have become a “really juicy target” might be taken as proof of success. After all, what is more successful than having assets of high value? And who said after a big password breach in the past “you know what, we should never again put our passwords in one place”?

Back to reality: First, some security controls are essentially impossible to implement in Hadoop so a business may have no choice but to move ahead after weighing risk of failure. Having no basket for eggs is in fact a worse option for some than having just one basket. I’m not advocating one basket, quite the opposite, but I’m saying there’s a cost associated with zero baskets. Second, perimeters and bastions make internal communication encryption far less important. We’re seeing some amazingly tight environments built because data owners know that they need a protected data lake to secure against unauthorized use. This is expensive, but it’s an option that allows a really juicy target to exist. Third, data processed does not have to be sensitive (although the definition of sensitive changes dramatically in Big Data environments). The juiciness of eggs (hey, it’s HD’s analogy, I don’t like it either) can be controlled when the environment can not.

3. “Law of Averages Says An Analytics Provider Breach Is Coming”

This is the grand finale of HD analysis, where he tells us the impact of the first two problems, and it seems to backfire.

“One thing that’s almost guaranteed to happen in the next year is we’re going to see one of the large providers of analytics services — whether security, log data, or something else — get breached,” he says. “It’s just the law of averages at this point. There’s enough folks offering services who don’t necessarily know what they’re doing that we’re going to see a big breach.”

Saying there will be a big breach within twelve months does not sound like Bernoulli’s “law of averages”. To me it sounds like a statement of the obvious. Almost every breach report I read indicates hundreds of breaches per year. Verizon in 2013, for example, issued a one-year report that starts with “621 Confirmed Data Breaches Studied”. So if I were a betting man I would say a big breach will come in the next 30 days…ok, 24 hours.

But seriously, it seems to me that predicting a “big breach within a year” is not the kind of statement that moves anyone to react quickly on an issue. HD said above in #2 that things are “actually pretty frightening” and yet he warns we have 8,766 hours before impact?

Most people will probably hedge their bets or adopt a wait-and-see response when told they are 12 months from impact. “Put that in the budget for next year” would be a lucky result.

Perhaps more importantly HD fails to mention why anyone would be required to report a Big Data breach to the public. Unless regulated data is in these environments, or someone external is affected, then what obligation is there to make the breach “seen” by us?

The Big Data examples he provides us (“whether security, log data…”) does not impact anyone external to the victim and has no legal requirement for disclosure.

Trusted IT (or Trust for short) is a big topic this year at VMworld, especially with the recent release of Log Insight. Here is a sample of sessions related to Trust and that you can find online in the conference agenda.

Out of 590 total sessions
—
Availability (28 sessions, 13 speakers)
Security (72 sessions, 49 speakers)
Compliance (24 sessions, 6 speakers)
Data Protection (19 sessions, 6 speakers)

Availability
========
BCO1000-GD – High Availability with Duncan Epping and Keith Farkas
BCO1001-GD – Stretched Clusters for Availability with Lee Dilworth
BCO5047 – vSphere High Availability – What’s New and Best Practices
BCO5065 – VMware vSphere Fault Tolerance for Multiprocessor Virtual Machines – Technical Preview
BCO5160/2 – Implementing a Holistic BC/DR Strategy with VMware – Part One and Part Two
BCO5276 – Next Generation ‘Economical’ Data Protection for Business-Critical Applications
EUC5805 – Why Delivering Cloud-based Clinical Workspaces Makes Perfect Sense for Healthcare
SEC6850 – Achieving Security Agility in the Virtual Data Center
VCM5577 – Ensuring Clinical Trial Patient Safety with vCenter Operations Management
VCM7369-S – Uncovering the Hidden Truth in Log Data With vCenter Log Insight

Security
======
GS-MON – General Session – Monday – Gelsinger GS-TUE – General Session – Tuesday – Eschenbach
EUC5143 – Is 911 a Joke in Your Network? – How VDI Can Improve Threat Response
EUC5196 – Secure Mobility – FIPS, CAC and Beyond
EUC5369 – Beaufort Memorial Hospital Enhances Patient Care with Secure Mobile Solutions
EUC5805 – Why Delivering Cloud-based Clinical Workspaces Makes Perfect Sense for Healthcare
HOL-HBD-1302 – vCloud Hybrid Service – Networking & Security
HOL-HBD-1303 – vCloud Hybrid Service – Manage Your Cloud
HOL-PRT-1306 – Catbird-Hytrust-LogRhythm – Partner Security and Compliance
HOL-SDC-1315 – vCloud Suite Use Cases – Control & Compliance
NET1001-GD – vCloud Networking and Security & NSX for VMware Environments with Ray Budavari
NET5522 – VMware NSX Extensibility: Network and Security Services from 3rd-Party Vendors
OPT4968 – US Air National Guard – DoD Private Cloud Initiative – How Virtualization Saved $45 Million in Power\Cooling and Life Cycle Management
PHC5120 – Why Hackers are Winning and What Virtualization & Cloud Can Do About It
PHC5070 – vCloud Hybrid Service Jump Start Part One of Five: vCloud Hybrid Service: Architecture and Consumption Principles
PHC5409 – vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybrid Service: Networking and Security Basics
PHC5488 – vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security
SEC1003-GD – Network Security Services New Model for IPS, URL Filtering, Forensics in the SDDC with Anirban Sengupta
SEC1004-GD – Agentless Security Antivirus, Vulnerability Management, File Integrity Monitoring in the SDDC with Azeem Feroz
SEC5168 – Dynamic or Dud? Why Software-Defined Data Centers Need Dynamic Security
SEC5178 – Motivations and Solution Components for Enabling Trusted Geolocation in the Cloud – A Panel Discussion on NIST Reference Architecture (IR 7904)
SEC5253 – Get on with Business – VMware Reference Architectures Help Streamline Compliance Efforts
SEC5318 – NSX Security Solutions In Action – Deploying, Troubleshooting, and Monitoring for VMware NSX Service Composer
SEC5749 – Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC
SEC5750 – Security Automation Workflows with NSX
SEC5755 – VMware NSX with Next-Generation Security by Palo Alto Networks
SEC5889 – Troubleshooting and Monitoring NSX Service Composer (and Partner) Policies
SEC5894 – Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall
SEC5891 – Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services
SEC6850 – Achieving Security Agility in the Virtual Data Center
STP1015 – Is Your Data Center Smart? – Improving the Security and Performance of Virtualized Environments through a Data Center Operating System
STP1018 – Secure and Monitor Sensitive Assets in Your Virtual Infrastructure
STP1020 – Solving the security and compliance challenges of a true Enterprise cloud
TEX5667 – Case Study: VMware vCloud Ecosystem Framework for Network and Security Enables Network Services Virtualization
VCM6065 – How to Manage Security Levels and Infrastructure to Provide IaaS / PaaS / SaaS Services Based on a Single Virtual Infrastructure
VSVC1007-GD – Platform Security with Mike Foley
VCM1005-GD – Log Insight with Steve Flanders
VCM4445 – Deep Dive into vSphere Log Management with vCenter Log Insight
VCM4528 – Tips and Tricks with vCenter Log Insight (NEW!)
VCM5034 – Troubleshooting at Cox Communications with VMware vCenter Log Insight and vCenter Operations Management Suite VCM7369-S – Uncovering the Hidden Truth in Log Data With vCenter Log Insight

Compliance
=========
SEC5775 – NSX PCI Reference Architecture Workshop Session 1 – Segmentation
SEC5820 – NSX PCI Reference Architecture Workshop Session 2 – Privileged User Control
SEC5837 – NSX PCI Reference Architecture Workshop Session 3 – Operational Efficiencies
BCO5829 – Drying Out After Hurricane Sandy: Leveraging vCloud Director and Other Cloud Enablement Tools for Simpler, Faster DR Operations
EUC5196 – Secure Mobility – FIPS, CAC and Beyond
OPT5887 – How Does VMware Uniquely Enable Leaders in Healthcare Electronic Medical Records to Improve Quality of Care and Meet Unique Industry Requirements
HOL-SDC-1315 – vCloud Suite Use Cases – Control & Compliance
PHC5679 – Protecting Enterprise Workloads Within a vCloud Service Provider Environment
SEC1001-GD – Activity Monitoring Visibility into Users, Applications for Compliance Troubleshooting with Mitch Christensen
SEC1002-GD – Compliance Reference Architecture: Integrating Firewall Antivirus, Logging IPS in the SDDC with Allen Shortnacy
SEC5253 – Get on with Business – VMware Reference Architectures Help Streamline Compliance Efforts
SEC5428 – VMware Compliance Reference Architecture Framework Overview
SEC5589 – Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in Virtualized Infrastructure
VCM4838 – Automating IT Configuration and Compliance Management for Your Cloud

Data Protection
============
BCO1002-GD – Data Protection and Backup with Jeff Hunter
BCO4756 – VMware vSphere Data Protection (VDP) Technical Deep Dive And Troubleshooting Session
BCO5041 – vSphere Data Protection – What’s New and Technical Walkthrough
BCO5160 – Implementing a Holistic BC/DR Strategy with VMware – Part One
BCO5162 – Implementing a Holistic BC/DR Strategy with VMware – Part Two
BCO5276 – Next Generation ‘Economical’ Data Protection for Business-Critical Applications
BCO5851 – VMware Backups That Work – Lessons Learned and Backup Performance Tuning Based on Extensive VADP Benchmark Testing
BCO5855 – Leveraging Advanced Storage Capabilities To Meet Today’s Virtual Environment SLAs
HOL-SDC-1305 – Business Continuity and Disaster Recovery In Action
PAR6413 – Capturing the Backup and Disaster Recovery Opportunity with VMware
PHC5679 – Protecting Enterprise Workloads Within a vCloud Service Provider Environment