SAS takes analytics into the network

James Goonight, CEO, SAS
James Goonight, CEO, SAS

When Dr. James Goodnight and his partners founded the SAS Institute in 1976 after running almost a decade as a successful academic project at North Carolina State University, statistics was a complicated black art to most. SAS software was initially used to analyze the effect soil, weather and seed varieties had on crop yields at the university.

Almost forty years later, Dr. Goodnight still heads the company, but the advanced form of statistics known as analytics is now becoming mainstream.

After decades of representing a solution in search of a problem (as the many companies that tried and failed to break out of the niche can testify – remember SPSS and Cognos?), popularization of the problem has shown its face: Big Data, in its many incarnations. As often as not, Big Data and analytics are joined at the hip. Even companies like enterprise information management specialist OpenText are embedding analytics in their solutions.

But all Big Data isn't created equal. Sure, the volumes are there, whether you're accumulating sales data, information from server logs, or sensor readings, but some is trickier to handle than other. Just think about coping with a terabyte of data streaming in from a jet engine's sensors, for example, most of it perfectly benign, but with indications of an incipient problem buried within. Or looking at the flow of financial data on a banking network, from which you must tease data about mortgage or credit card fraud. Or network traffic, from which you have to determine that a machine has been compromised by attackers, and find out what the bad guys are up to.

Those are Big Data problems worthy of analytics.

At its recent Premier Business Leadership Series event in Las Vegas, SAS announced that it is expanding its scope to tackle problems like this. It already handles financial analysis – a proof of concept for a major bank a couple of years ago revealed a $12 million mortgage fraud (and sealed the deal). Retail is old news – SAS does pricing optimization for major outlets like Macy's, helping them determine when to put items on sale to achieve maximum profit and volume.

Now it has added SAS Cybersecurity to the mix. SAS Cybersecurity uses analytics to find hidden patterns in the huge amounts of data flowing through a network that can indicate suspicious activity. It's a new area that was triggered, said Dr. Goodnight, when a former employee returned to the company and proposed that its high speed event streaming engine could be used in a new way to capture information from networks in real time.

Bryan Harris, director of research and development, SAS
Bryan Harris, director of research and development, SAS

That employee, Bryan Harris, is now SAS director of cyber research and development. Harris noted that cybersecurity awareness in businesses has come to the fore in the past two years. "There's a convergence of fraud and cybercrime," he said. "In fraud detection, there's a lot of proprietary technology. In cyber, it needs to be communicated operationally. And today, we know there's a problem, but noone understands the business aspects." And the situation is further complicated by the volume of data that has to be analysed, and the speed with which it arrives; for a Fortune 500 company, Harris said that networks can generate 10 million or more records per day that have to be analysed in real time.

That's where SAS's work in high speed data capture and massively parallel processing has paid off. The same technology that enables analyses that took days not so long ago to be accomplished in minutes can be leveraged to alert network administrators to mischief in their domains while there's still a chance to head it off – and maybe even catch the bad guys. Behavioral analytics automatically evolve cyber analytic models based on new events, new data and new contexts. So when attackers get more sophisticated, so do detection methods.

At the moment, the software simply detects; it doesn't take any action, such as blocking ports or quarantining affected machines, on its own. Instead, its dashboard and reporting flag the suspicious activity for administrators, who then decide what to do.

That's good and bad. The volume of alerts on a large network can be daunting, and although the software filters out the noise and attempts to only present relevant information, there still could be a delay in response if analysts are overloaded, or if the alerts trigger off-hours. On the other hand, nothing beats an experienced security analyst when it comes to making decisions about complex situations.

The rub, of course, is that there's a painful shortage of experienced security analysts. That's where automation would come in really handy, especially when backed by the sophisticated analytics in SAS Cybersecurity. It could take care of the routine stuff, and only pass on the events that really need human judgement to the analyst.

Customers like what they're seeing, though, according to chief marketing officer Jim Davis, who noted that since many already use SAS products for risk management and fraud detection, they already trust the company with their data. And when SAS floated the idea to analysts, he said, their response was, "It's about time."

It is about time. SAS's expertise in all things analytical is a perfect fit for the security world. Other vendors are also jumping in with both feet – the same week we saw SAS Cybersecurity, Intel Security announced its own analytics-driven product - however, SAS has the advantage of close to forty years of analytics expertise; Dr. Goodnight claims that because of that history, his technology is several years ahead of its competition. But Intel Security includes automation, something that makes overworked security professionals very happy.

If SAS can supplement its analytics and Big Data expertise with some of the modern automation features, it will delight both security pros and its enterprise customers.