Big Data: Big Deal or Big Brother?

Editor's Notes

1. Good afternoon. My name is John Johnson and I am Global Security Strategist for a F100 Ag Manufacturer. My talk today is on Big Data. We’ve all heard the hype. Some people feel that Big Data is the next big trend and the best thing since sliced bread, while others see it as the road to Perdition, fraught with peril and paved with good intentions. I have to admit that I am not the world’s greatest expert on the topic of Big Data. However, my company, like most of yours, is gathering more and more data from customers, our machines and devices and we are looking for a way to apply data analytics to expand our services and to add genuine business value.
2. My talk will start off by discussing how we might define Big Data, and then I will provide some examples of how Big Data is being applied to benefit consumers, companies and society. I want to emphasize the processes that are involved with data modeling and predictive analytics, and then I will look at the issues around being good stewards of data that might originate with customers and how we treat it responsibly and with consideration of legal, ethical and cultural issues as we aggregate it, mine it, store it and share it with our customers and business partners. The underlying current here is about how we manage risk that is fundamentally different than traditional data protection, and how we decide what needs to be secured and how we might go about that.
3. Some of you may have seen something like this before. This is a Buzzword Bingo card. I have a link you can follow to create your own, if you like. I want to look at a topic that is definitely an over-hyped buzzword, so if I go crazy with these terms, please feel free to yell out, “Bingo!” if you can complete five horizontally, vertically or diagonally!
4. What is Big Data? It means a lot of different things to different people. I hope that I can define this in a way that makes sense, and that applies to our context of data security.
5. Big data isn’t just lots of data, it’s lots of data from disparate data sources that can be structured or unstructured. We’ve seen trends in virtualization and cloud computing, and processing big data similarly requires shared resources that have elasticity, resiliency and can scale on demand. These data sets can be processed to provide business value, if you strategically align your efforts with business objectives. In fact, if your company has access to big data sources and they aren’t making good use of it and if they don’t have a strategy, then your competitors will, so it needs to be a part of your business strategy. We live in a world of consumerization of IT, exploding social media, consumers who prefer to shop over the Internet from the comfort of their own homes, and there’s this concept of the Internet of Things, where everything from your toaster to your pacemaker will be networked and sending data somewhere, where someone is recording it.
6. You can see the statistics here from 2011 on the grown of Internet usage. Global companies now have truly global challenges as they try to compete in emerging markets and gain customer knowledge in new cultures.
7. We live in a connected world. This connectivity allows us entertain ourselves, but it also presents new ways to communicate, to learn and it makes our lives not only more convenient, but more productive. And this is not just a Western trend, it is truly global. According to MBAonline.com, every day: Enough information is consumed on the Internet to fill 168 million DVDs 294 billion emails are sent 2 million blog posts 172 million different people visit Facebook, spending 4.7 billion minutes (or nearly 9000 man-years), uploading 250 million photos Nearly 900,000 hours of video are uploaded to YouTube 1300 new apps are added to online app stores for download
8. And more iPhones are sold every day, than babies born.
9. As we all come to rely more on technology, globally, we are storing more and more data. Have you ever noticed how anytime you buy a bigger hard drive, you find a way to fill it up? I remember 10 MB SCSI hard drives in the late 80s that cost $2000. Now we find a way to fill up personal TB hard drives with high definition video and multimedia. It’s amazing! This graphic shows how the total digital content stored worldwide is doubling every 18 months, to 2.4 Zettabytes last year. That’s 2.4 billion Terabytes. In fact, 90% of all the data in the world was created in just the last two years. And, by 2020, it is predicted that the digital universe will have grown to 35 Zettabytes. We must have a strategy to manage this.
10. Again… What is Big Data? Let’s summarize. We saw that all these people, with all their devices, are using the Internet and it’s growing like crazy. Big data is large, complex and dynamic data sets that can contain both structured and unstructured data. All this data can be logged and retained. From our Internet usage, to our GPS location, to what we buy and who we talk to. And, it’s not just computer and smart phones, data in both structured and unstructured formats flows and can be logged from all of our networked applications, transactions, sensors and communications. Structured data could be something like a customer database. Unstructured data uses 5 times the storage of structured data, and is growing 3 times as fast. The data that we gather can be streaming in real-time, or in batches, or be historical data sets that we use for correlation. If any of you have SIEM projects, that is a great example that we use to understand this concept. With SIEM we may take data from disparate data sets, and aggregate them: firewall logs, IDS logs, Active Directory logs, Proxy logs… and we look for correlations by mining the data to uncover patterns that might indicate security has been compromised. This is what the business is doing as well, to add business value.
11. This slide shows the growth of Big Data storage, along with variety and complexity, and how this has moved us from traditional structured data to data from many new sources.
12. I like this chart because it shows the growth of Big Data on three fronts: Data volume, velocity and variety. These are the Three Vs of Big Data.
13. You will often hear people refer to the Three Vs of Big Data, being Volume, Velocity and Variety. In this info-graphic, you can see that Big Data storage is rapidly growing to huge volumes globally. Over 3500 Petabytes in storage in North America alone. The velocity involves how much we all use technology, and we can imagine how this will grow as new technologies are developed and adopted globally. And variety gets to the kind of data we generate… news, blogs, multimedia, bank and retail transactions, machine data, and so on.
14. You can see that the growth of data from social media and sensors will happen faster than traditional enterprise data in the next two years.
15. Here is another breakdown from IBM and the Said Business School from a 2012 study in the UK and Ireland, showing where the data is coming from today. I think the previous chart indicates this will flip in the future as the data sources on the right outpace those on the left.
16. There is a fourth V, which I’ve already tried to emphasize and that is value. If all this data didn’t have any value, we wouldn’t spend money on processing it. I think we’d still have concerns over the volume of data, and our storage and processing technology would need to grow to keep pace, but there is a value proposition in having varied data sets to draw upon, and we’ve passed the tipping point where it was simply a novelty. Regardless of your industry, large companies need to look to Big Data as a differentiator that will give them a competitive advantage. Smaller companies and individuals will also benefit from analytic services and from consumer products and services that leverage Big Data. I think Security Big Data is not as mature. While we are starting to roll out SIEM, more and more, I don’t believe most security teams are able to demonstrate a return on investment yet, or tie the outcomes of a SIEM or threat intelligence program to the business objectives you find in the company’s annual report.
17. Federal agencies find big data most improves the quality and speed of decision-making. They also ranked other benefits from big data, including better planning, efficiency and customer service.
18. Healthcare, on the other hand, is one of the areas that analysts believe will see the greatest growth, through the use of Big Data. Healthcare professionals deal with patient PII and they are heavily regulated, so this is also one of the areas where the potential for abuse and misuse of data is easiest to imagine.
19. As we become able to competitively differentiate our companies from our competition, the value will impact the bottom line and drive new innovation.
20. I have just a handful of the many, many examples you could come up with to illustrate ways in which big data is being used today. Since this is a security conference and I am a security professional, the goal in looking at big data from all different angles is to help identify areas that need attention. Just as moving to computers from paper, or the Internet from basic office networks introduced new security risks, there are many risks that arise as we consider gathering, processing and using big data.
21. I work for John Deere. We have 5000 dealers, millions of customers, 60,000 employees and we have offices in 30 countries globally. There are a lot of issues that arise just by having a diverse network and user-base. These problems can be multiplied when you start increasing the volume and rate at which structured and unstructured data comes in. As with most other large, global companies, we are gathering a lot of data an we need new processes and tools to handle it. The more you deal with aggregated data and log files, sensors that tell you about the weather and soil and humidity, and GPS readings that tell you about the size of a farm. With information on product yields and the type of seeds and chemicals… you can see that you truly have much more than machine data that indicates when it’s time for an oil change. It takes a lot of people to manage all aspects of the software and hardware and data processing that goes into managing big data. So, it is crucial that you be even more careful in how you authenticate and authorize these users, and how you educate them and monitor for security violations. Even mistakes and configuration or programming errors can make your data vulnerable. Often times, you need to contract out to firms for development and services, especially as you scale up and develop your capabilities. It is important to consider carefully how you architect remote access and how you protect intellectual property.
22. We need to utilize customer portals, various sensors and communications technology to seamlessly deliver advanced capabilities and customer knowledge, that will help our customers better compete and increase their production.
23. While this data can help John Deere compete globally, the advent of precision farming and drip irrigation that delivers just the right amount of water to the right place at the right time, will help the planet feed 9 billion people, despite having fewer resources, water shortages and a warmer climate. It’s quite a value proposition to be able to say that fewer children went to bed hungry because information services that rely on big data.
24. Here is a short video that demonstrates what a day in the life of a farmer might be in just a few years. (5:54)
25. Consumers generate tons of data, and they purchase apps that leverage the results of analytics, and their use of those apps can then generate additional data. It can be difficult to anticipate the uses of derived data and how it may subsequently drive new business models and technologies, and how third-parties will use this data. They may make use of data that you share in ways that introduce reputational risk to your brand.
26. Here is a short video explaining some of the benefits consumers are starting to derive from Big Data, today. (4:43)
27. Governments, organizations and individuals with access to big data can solve large problems and find innovative ways to benefit society. Data sharing between intelligence agencies may stop nation state attacks or terrorism before it happens, but to date most successful data sharing has been informal or commercial, and two-way data sharing between the public and private sector has not taken off. Better data management, new predictive analytics and political leadership may help that improve in the coming years. Trusted threat intelligence feeds will likely help companies better defend against attackers and new threats in a more agile way that today.
28. Of course, when we start talking about the government aggregating data to protect us from terrorists and criminals and nation states, that might sound good if it means we can better protect our intellectual property, but we find ourselves on a slippery slope, ethically. At what point do we find our privacy and liberties sacrificed, for the greater good? Should we and can we protect individual rights, in this scenario? (0:51)
29. “The sheer volume of information creates a background clutter…,” said DARPA Acting Director, Kaigham J. Gabriel. “Let me put this in some context. The Atlantic Ocean is roughly 350 million cubic kilometers in volume, or nearly 100 billion, billon gallons of water. If each gallon of water represented a byte or character, the Atlantic Ocean would be able to store, just barely, all the data generated by the world in 2010. Looking for a specific message or page in a document would be the equivalent of searching the Atlantic Ocean for a single 55-gallon drum barrel.”
30. We’ve seen how the data is gathered, where it comes from and how it might benefit consumers, organizations and society. Now I want to discuss the risk involved with the use of Big Data. The first area to focus on is data modeling and predictive analytics. These models need to be able to take in structured and unstructured data, often in real-time, and process and reduce it while maintaining its integrity. This requires a lot of care on the part of data scientists. Models that are poor can end up having unintended consequences. Sometimes we see correlations between data sets that is coincidental. As models are applied and tested, there needs to be feedback mechanisms to improve the model over time to improve accuracy and remove bias and bad assumptions. This is what we normally call evidence-based science!
31. If we want to develop diverse, raw and unstructured data into something people find valuable, Data needs to be aggregated and processed, leveraging analytical models. The output can be many different things, that tie back to business objectives. Deep Insight Customer Knowledge The ability to respond more quickly to market trends The ability to deliver better and more customized services to customers The ability to make faster and more accurate decisions Better supply change management and logistics It can even be the security objective to have intelligent and adaptive security that allows you to identify and respond better to threats as they evolve faster and faster.
32. The point to this slide is to emphasize that data analytics is a scientific endeavor that requires measurement and feedback in order to develop reliable and trustworthy models. The derived results are typically what you profit from, so having data scientists working with Big Data is important. This is another way in which you need to be an ethical steward of the data. Taking raw data and turning it into a valuable business product is not something a database administrator can do.
33. When you had to physically jiggle the doorknob to see if someone was at home, you needed physical proximity and your impact was localized and limited. As we moved to the Internet, you could metaphorically jiggle someone’s doorknob from across the globe, and the impact of a new virus or exploit could be immediate and widespread. Thus, as we move to larger aggregated sets of data, we have numerous security issues that arise. I don’t think Big Data automatically implies Big Brother, but we need to be vigilant in our protection of this data, and corporations and governments need to be held accountable for their actions. There are several points that I call out here, regarding how we manage and protect data. It is important to be clear with the customer about what data you will gather and how you will use it. Remember that the result of doing a poor job of being a steward of customer data can be harm to your organization’s brand and reputation. Third parties may take your published information, like flight times, and use it in their applications and when they implement this poorly, customers will blame your company and it will harm your brand. Most consumers will not even realize the app was not developed by your company. It is important to consider how this can add to your reputational risk and manage it appropriately. It is important to understand legal requirements globally (and in California!) Understand the expectations and cultural issues globally. Some cultures share much more, and others have very strong expectations of privacy. Understand how the data is being used, where it lives, how it is protected, who has access to it and how data is shared with third-parties.
34. As we take a data-centric view, we should segment and compartmentalize data and protect data throughout its life cycle. The data must be secured from the source. The analytics need to be kept proprietary. The end-product must be shared in a way that it won’t be misused or resold. Your competition may be able to look at the data sets you don’t protect well, and fill in the missing pieces, since macro trends tend to repeat themselves over multiple sets of data. It is important to remember that all this information is useful at some point, but eventually it can become a liability to retain it, and you should have a data retention policy and a plan for how to properly dispose of old data. Consider how a patient may want to share his medical history, but not leave it in every doctor’s system that he visits. The more you keep, the more resources you need to devote to legal and security protections. You may have data that comes from your systems and you may have third-party data or partner with other companies. You may utilize cloud services and contractors. The point is that big data can be a big pain to protect, and there isn’t just one security tool you can buy to do it all. Take a Bayesian approach to layered security, leveraging people, processes and technology and recognize that every organization will need to develop an approach that is right in their business and regulatory context.
35. This is an example of a John Deere privacy statement from our website. Anytime customer data is being collected, they need to understand how it will be used.
36. The CEO of TomTom discusses how they approach the collection of customer data from their GPS navigation systems. (1:55)
37. I like this slide, because it reminds us that we are no longer system admins who focus on the technology alone. We need to have a broader view and a more strategic one to understand and align security governance with business objectives, and learn to be stewards of information throughout its lifecycle.
38. And, let me close with this quote from Voltaire. Well, it’s paraphrased. It says, “With big data comes great responsibility.”