The potential of data analytics for cyber insights
Secure, vigilant and resilient with analytics
It's a normal Tuesday in November. The SOC (Security Operation Center) is monitoring the preventive security controls around the most critical applications and processes using their Cyber Analytics dashboards as usual. Suddenly, the anomaly detection engine that was taught by machine learning what normal behavior looks like, is picking up on some network activity that is out of the ordinary.
November 3, 2015
The abnormality is issued to one of the SOC's analysts who immediately went hunting for the threat that caused this activity, using the data driven visualization tools he has at his disposal and both his hacker mindset and data analytics skillset. Because all relevant data sources had been connected and stored for a prolonged period of time, the abnormality could be quickly attributed to a recently started cyber-attack that the Cyber Analytics tool already distilled from large numbers of threat intelligence information. By localizing the exact attack path that the intruders had taken until this point, not only could the attack be stopped in its tracks, but the relevant preventive security measures were also tightened in the process.
This scenario highlights the benefits that an organization can reap from a solid Cyber Analytics capability. But are organizations harvesting enough cyber insights from this data?
To discuss the relevance of this question we introduce the following sub-questions:
- Why are cyber insights important?
- What are challenges organizations face when harvesting cyber insights using Cyber Analytics?
Why are cyber insights important?
Crunching cyber data can give organizations a wealth of insights. When asked about Cyber Analytics, most organizations think about advanced detective capabilities and whereas this is definitely an area with a lot of potential for Cyber Analytics, it is by no means the only one. Deloitte’s vision on becoming strong at facing cyber threats is centered around 3 domains: Secure, Vigilant and Resilient:
- Being secure means focusing protection around the risk sensitive assets at the heart of your organization’s mission — the ones that both you and your adversaries are likely to agree are the most valuable.
- Being vigilant means establishing threat awareness throughout the organization, and developing the capacity to detect patterns of behavior that may indicate, or even predict, compromise of critical assets
- Being resilient means having the capacity to rapidly contain the damage, and mobilize the diverse resources needed to minimize impact — including direct costs and business disruption, as well as reputation and brand damage.
In each of these domains, Cyber Analytics use cases can provide relevant insights for an organization.
Cyber Analytics can provide insights in the operational effectiveness of cyber measures protecting those risk sensitive assets. For example, by collecting the active users and permissions in critical applications and automatically and continuously comparing this with e.g. identity systems, segregation of duty matrices and ticket registration systems, it can quickly be detected when the joiner/mover/leaver control is not operating effectively. This tells an organization that risks that this control is supposed to mitigate are likely to manifest in the future.
Cyber Analytics can help organizations to perform gap analysis in asset registrations to identify black spots in infrastructure definition or it can help to process and correlate large quantities of cyber intelligence feeds to determine the most important information.
Furthermore, detecting abnormal behavior in for instance network or user activities is maybe the most important area in which Cyber Analytics will play a role. Most organizations have by now deployed tools called Security Information & Event Management (SIEM) to perform security monitoring by collecting machine generated logs from across the infrastructure and applying pre-defined rules in real-time to generate alerts that can be handled by security operators.
One limitation of SIEM is that it’s hard to detect non-quantifiable threats and it’s hard to keep up with the constantly evolving attack patterns. That is why more advanced Cyber Analytics is required, that focus on analyzing large quantities of data and applying machine learning algorithms to detect abnormalities from “normal” behavior on the network rather than pre-defined rules that quickly become outdated.
Cyber Analytics can provide value by providing insight in the exact nature and extent of a breach that is detected. When an organization knows that a certain breach has occurred and might already have an idea which assets (e.g. desktops or servers) were compromised as part of the attack, Cyber Analytics, e.g. in the form of sifting through large amounts of raw log files using time scale analysis, can help to identify the exact attack path that was used and might uncover additional compromised systems and vulnerabilities through which the attackers were able to break in.
What are challenges organizations face when harvesting cyber insights using Cyber Analytics?
We notice an increase in the number of organizations that are motivated to start Cyber Analytics, but see this as a challenging objective. The following shows complications these organizations face in harvesting cyber insights from their data:
- Get and retain the right team for Cyber Analytics. At its core Cyber Analytics requires the bridging of two professional domains; Hacking and Data science. From what we have seen in practice, people mostly fall into one or the other of these categories, i.e. people are seldom experienced in both. Thus, both data scientists and security experts need to closely working together to enable the adequate use cases.
- Get data access to create useful Cyber Analytics. Part of the data relevant to Cyber Analytics is typically not owned by the security departments. Well-defined governance and adequate stakeholder management is needed to tackle this complication, but also proper processes and technology to collect and deliver the data. The later one will likely not be in place and has to be managed additionally during this process.
- Understand the needle first, then proceed with searching in the haystack. Defining and implementing successful analytics requires a well-defined use cases: problems with clear objectives, constraints and success criteria. For Cyber Analytics this is found to be a hard problem because organizations have difficulties to get insight in what is actually happening in their processes, systems and networks.
Analytics to unlock cyber insights
We see a lot of potential in using analytics to unlock cyber insights as it covers all three relevant domains of cyber security and data is abundant. We acknowledge that there are complications in successfully operationalizing Cyber Analytics, but by focusing on the right enablers and growing granularly in the maturity of this capability, we belief that organizations can be successful in managing and mitigating cyber threats.
Do you want to know more on The potential of data analytics for cyber insights? Please contact Peter van Nes at +31 (0)88 288 5385 or Irfaan Santoe at +31 (0)88 288 0530.
"Are organizations harvesting enough cyber insights from data?"