Look deeper into data to spot security threats

Cyber criminals aren't easily deterred. Their job is to find security holes, not to run away when they run into security obstacles. When they don't get in and do damage, you don't know the attempt. But you need to know it. Just as criminals look for opportunities to worm their way into your organization's data and networks, your organization needs to look for opportunities to spot activities that indicate an attempted intrusion.

And the intrusion threat evolves as hacker technologies, hackers' know-how and technologies you use to do business evolve as well. The picture is always changing, and your organization needs a plan for how to view and interpret that picture. Your organization needs a cyberanalytics strategy.

Attacked or not?

About 8 percent of Canadian businesses were unsure whether they had experienced a security threat, attack, or breach on their networks in the last 12 months.

Source: New Cisco Security Study Shows Canadian Businesses Not Prepared For Security Threats. Date accessed: March 16, 2015. http://newsroom.cisco.com/release/1559272/New-Cisco-Security-Study-Shows-Canadian-Businesses-Not-_2

Applying analytics to identify cyber vulnerabilities and threats—whether potential or real—involves a host of strategies, processes, tools, and techniques. Each cyberanalytics solution varies from organization to organization, from industry to industry.

Time is part of the equation for determining what analytics solution will work best for which organization and for which operational need.

A real-time solution focuses on short-term data, involving a typically small data set. For example, a real-time cyberanalytics solution might look for and identify suspicious online transactions as they happen based on certain pre-defined activities. Real-time analytics, therefore, serves as a more "cognitive" way of spotting threats, using a rules-based approach. And with real-time solutions, the error rate can be somewhat high at times.

A long-term solution involves lots of data collected over potentially many months and involving many types of information transactions and activities. A long-term cyberanalytics strategy involves visual discovery methods—approaching information and activities in an almost "connect the dots" way to determine associations, behaviors, patterns, and relationships. This information can help you determine who's trying to get at your data, which data is vulnerable, and the methods attackers might use to get to your data. A long-term cyberanalytics solution may also heavily involve open-source tools.

A mid-term solution involves a moderate amount of data and looks at threats in a "studious" way. Mid-term cyberanalytics involves machine-learning algorithms. Sitting between real-time and long-term solutions, it touches on the realm of learning methods, transforming information gleaned from real-time analysis into analytical insight that organizations can use to understand more involved transactions and attacks. Mid-term solutions also help build knowledge for identifying the patterns and relationships that come into play as organizations move toward long-term analysis and toward predicting cyber attacks.

Determining which variety of solution—real-time, long-term, or mid-term—depends on the amount of data, the types of activities with which the data is associated, the value of the data to the organization, and the value of the data to hackers. And each variety of solution requires a different set of technologies to achieve results.

Cyber attackers continue to up their game, and as organizations attempt to get ahead of attackers, deploying cyberanalytics strategically becomes paramount. Thinking about where you stand now is important. But thinking about where you're headed is also critical. Pondering some essential questions on data and analytics can help you get in the right mindset to move forward with cyberanalytics solutions that can address evolving threats and your organization's evolving needs.

Where does your data reside and how easy is it for you to "see" that data now? Hackers can spend all day trying to find out where your information lives. If you don't know where all your data resides and how to access it, you may already be playing a game of catch-up.

What analytical tools do you have in place, and how well do they work? The tools you have today might not be enough to address all the challenges of tomorrow. But it's important to know the effectiveness of the tools you use now to make decisions about new needs for analytics tools and prioritize deployment of cyberanalytics solutions.

What additional types of data will your organization need to do business in the year ahead? Business needs shape the types of data that your operational units will collect and leverage. Hackers will plan on you acquiring new data—viewing new sources of data as new points of attack. Your cyberanalytics strategy needs to take into consideration not just the types of data you have now, but the types of data your organization will be producing or developing in the months ahead.

What future organizational activities may require you to manage or analyze more data? New directions, new markets, and new activities portend the potential to create data. Think ahead of the data and the activities that spawn the data. Become aware of the business direction of your organization so you can put in place cyberanalytics solutions in a timely manner—analyzing data for cyber threats the moment new offerings, new markets, or new partners go live.

Knowing the key questions and having some good answers will take you far toward developing a cyberanalytics strategy. Ultimately, you'll want a "true" cyberanalytics solution. As you seek the solution or solutions that will work best for your organization, awareness will be essential.

Be aware of solutions that aren't what they appear to be. Many vendors will label their technology solutions as "analytics" even though they fall short of being true analytics solutions. For example, a vendor might call a network-forensics tool an "analytics solution," even though the tool lacks the predictive and pattern-spotting functionality that defines a "true" solution. Analytics involves detecting patterns and outliers, and a true analytics solution should address that need while allowing an organization to move through the "lifecycle" of data analytics—from real-time to long-term.

Keep a phased approach in mind. No matter where you start with cyberanalytics, be prepared to extend your strategy and your cyberanalytics solution to other areas. And know that you ultimately will need a combination of technology products across all three phases of the cyberanalytics continuum. One solid approach for many organizations is to start with a real-time analytics capability and then build toward mid-term and long-term analytics capabilities.

Understand the enabling technologies at play. Cloud, mobile, and social technologies all present unique challenges and considerations in the realm of cyberanalytics. As others host your data in the cloud and as you seek to analyze it, you could face issues with data latency or lag. While real-time analysis can work well in the cloud, long-term analysis proves more challenging.

When it comes to mobile technologies, your organization may not see much need for cyberanalytics since malware threats have not bloomed into a major challenge in the mobile realm. But more mobile threats are on the way. Have an analytics strategy to deal with them.

And with social media, understand that activities on the social front can offer clues to the cyber threats that are coming your way. Political, economic, and social protests can spill over from the social media realm and manifest as cyber attacks on high-profile targets. Your organization could end up in the crosshairs.

Understand the threats and the role of cyberanalytics in your industry. All organizations tend to share some common themes when it comes to cyber threats and analytics. The threat of malicious insider activity and the misuse of data-access privileges can touch any organization. But there are unique considerations for various industries, and different challenges will require different cyberanalytics strategies and tools.

Financial services and insurance companies tend to face "omnichannel" fraud threats. For example, attacks come not just in cyber form. They come via customer-service phone calls in which an attacker may attempt to access a consumer's data without authorization. They come via attempts at phony transactions at the teller window. And they come as more routine online attempts to access protected data.

In the health sector, detecting misuse of personally identifiable information represents a central cyberanalytics concern. And in the energy/resources sector, organizations need to remain mindful of the potential for theft of service, vulnerabilities with smart-meter functions and data, and abusive access of data. Energy/resources organizations, as part of the nation's critical infrastructure, also continue to represent targets for conventional cyber attacks.

Staying ahead of cyber threats takes work, and the work begins with knowledge. A true cyberanalytics solution can serve as a valuable resource to let your organization gain knowledge by identifying and predicting cyber attacks—or even conventional fraud attempts. Many Canadian businesses are lacking when it comes to knowledge of cyber attacks.

Improved cyberanalytics offers a knowledge solution, and Deloitte can provide assistance in building that solution. We have extensive experience in the realms of data, analytics, and security. We also can offer help addressing a range of needs, from strategy and policy development to solution selection and implementation.