Intelligence has a long history of providing pivotal information to decision-makers. Many have proposed that we must apply this concept of intelligence to information security and the struggle against the threat landscape. Without intelligence, we cannot proactively protect against attacks or potential attacks, mainly because we don’t understand the motivations and what’s behind them. One source of attacks, out of many, is the human intention or behavior of internal employee or an outsider to the company.
Sentiment analysis extracts meaning from these articles, posts, tweets and conversations and automatically performs detailed statistical analysis to identify emerging trends. For instance look at the tweets posted by Anonymous group on various DDOs attacks that were launched by them and wathc how they tweet in public forums such as Twitter and Facebook. In fact they also plan their launches through IRC chat or Twitter.
You need tools and technologies to monitor this 24/7 and these feeds should also be part of all the machine data you collect to analyze for security vulnerabilities in your critical infrastructure. HP ArcSight integrates with these 400+ connectors from IDOL that pulls sentiment from various human generated data such as tweets, emails, chat, etc. This is on top of the 350+ connectors for machine generated data. This allows ArcSight to truly examine big data, which is a combination of both machine and human generated data, and correlate the entire dataset to holistically enable an early detection of threats that otherwise would have been missed.
IDOL technology enables organizations to actively get this type of intelligence by monitoring the spiraling amount of user generated content on the Internet (social media) and analyze it for sentiment. IDOL can determine the degree to which a sentiment is positive, negative or neutral for the entire content or a segment of the content.
Here is a typical flow between HP ArcSight (ESM), HAdoop and IDOL:
When a user generates an “information”-related event, like sending an email or accessing a file, an event will be generated and sent to HP ArcSight ESM. Now, that we have ESM connected with IDOL, it will query IDOL for the context behind the event. IDOL will send back to ESM a full set of information properties like information classification, category, etc. This set of properties will be used to fire events.
Please look at the event name. The proximity indicator is the “judgment” IDOL provides ESM on the content related to the event. In this example, an email was sent out from “Jameson Jones” to Peter Chambliss with potentially information related to Mergers (~57 percent), then he sent an email with content, potentially related to research (~51 percent) and then some HR data.
This shift towards human friendly information represents the biggest change in the IT industry–security included.
Now, for the first time, it is possible to have the machines fit the human. It is possible to run analytics across all information types for the purpose of better security management, including structured, unstructured, audio, video and more, with real-time meaning-based analysis with the ability to produce actionable outcomes.
Learn more about this at HP Protect 2013 technical sessions where we there will be discussions about how you can leverage threat feeds and social media for security monitoring. We also have a dedicated booth to showcase the launch of attacks and its prevention.