By Sheldon Shaw
As the world becomes increasingly interconnected, our connectivity has come at no small cost, opening the door to breaches that are hitting even the best modern day security systems. It seems every few months a large organization announces it has been compromised. A high-profile attack on Target just before the holidays of 2013 and eBay’s troubles earlier this spring have retailers on high alert.
By Sheldon Shaw
Public sector organizations are also increasingly at risk, with the U.S. Justice Department’s claim of Chinese attacks making headlines earlier this year. Canadian agencies aren’t safe either, with news of a Justice Canada phishing scam affecting 5,000 employees earlier this summer.
Criminals are rapidly evolving their hacking techniques and attacking quickly, making timely security and fraud more critical than ever. But as new security threats emerge, and organizations look to new capabilities, most are layering them onto existing defences resulting in a patchwork of equipment and software that makes it challenging to rapidly detect, respond to and remediate breaches. In a world where a country’s economic prosperity and competitiveness depends on “cybersecurity” and the ability to effectively confront threats, this simply will not do. Traditional solutions are failing — as fast as experts put up a firewall, savvy hackers find a way around it. While firewalls and other security appliances are helpful in the fight for cyber security, they can only be so effective. Luckily, the very data we put behind firewalls is proving to be the key to better security.
Cyber war then and now
The world of cyber war and cyber defense have changed dramatically in the past 20 years. At the outset of this cyber frontier John Arquilla and David Ronfeldt’s ‘Cyberwar is Coming’ introduced the concept of Netwars. For several years Netwars dominated thinking in many circles from defense to private industry. While this information operations concept has stayed with us, our definition and agreement around defensive mechanisms has changed routinely. Our language and tools for understanding cybercrime in the era of Netwars evolved through a variety of iterations:
Dump Analysis arose from the oft used tcpdump, a network analysis tool that allows security practitioners to view and analyze network traffic. Analytics in this column were often conducted in small labs disconnected from the internet. Malware was exposed to the network and then tcpdump filters were written to detect the malware and shared amongst a community.
Malware Analysis arose from the ever expanding use of malware to compromise computers. Malware analytics often combined some form of network behavioral analytics to completely understand the inner workings of malware samples. As malware sophistication continued, security analytics toolsets kept pace. This column began to combine analytics of the physical space that malware occupied (file system, registry, etc.) with other more volatile space such as memory. The physical and the virtual analytics provided this analytical column the capacity to remain a significant tool in the defensive security space.
Traffic Analysis emerged from the need to view what was happening from a network level, this analytic column provided an immediate shift away from the tcpdump/pcap analytical focus. Traffic analysis moved the analytical engines away from the host and focused on traffic from routers and further upstream. Along with this movement emerged the Intrusion Prevention System / Intrusion Detection System market. The emergence of significant hardware systems that had embedded analytics gave a false sense of security in the security industry – one that still persists today.
While there has been no definitive defensive strategy that has persisted as long as Netwars, analytics has been the centerpiece of our understanding of Netwars, net-centric warfare, and, by proxy, analytics has been a defensive tactic for some time. What we have not embraced as security practitioners is an effective analytics tool kit as it relates to cyber.
Cybersecurity fits squarely into big data
Cybersecurity fits squarely into big data – cybersecurity is, after all, the analysis of huge amounts of data. Big Data Analytics and the emerging Big and Fast Data Analytics is the most drastic paradigm shift for security analytics in the last 20 years. This area of analytics forces practitioners to abandon most of what they have become comfortable with in the past as security analysts. Big Data comprises a multitude of data sets from around an organization. No longer are security analysts working with just the data sets that they are accustomed to; they now receive and analyze a variety of data from building access cards, Identity Management systems, HR (vacation, leave, discipline, etc.) and many other parts of an organization. Rarely does a security investigation team have access to all of these data sets. In reality, organizational roadblocks means security investigation teams often spend more time trying to access data—in a format that they can handle—than they spend analyzing data. When assessing and analyzing threats, access to data is as important as ensuring it’s in a useable format for security teams. Equality important is the speed of analysis. Analyzing a data set only to identify a weeks-old breach does little to protect your enterprise.
We are currently in an era of explosive ingenuity and investment that is making significant new strides in security analytics. The most fertile aspect of this discipline is that it can now embrace the other three analytical columns along the analytical spectrum. For instance, Big Data analytics might determine that there is an abnormal pattern of traffic emerging in a certain subnet of a network. Drilling down into the data this same platform loads host-based data and engages complex algorithms to determine how many hosts out of the sample are behaving abnormally, which can then lead the security practitioner to a more tactile investigation. All along this continuum the security practitioner was using the same data environment, whether it’s a cloud or on premise data store.
We are entering an exciting stage in the evolution of analytics technologies, and with it all the promises of security panaceas. There may never be a one-size-fits-all solution, but there will be new explorations and visualizations of the security threat. Analytics will move the math from data centres and spreadsheets to the edges of the network, where complex algorithms and real time engines will process and analyze data. As we move closer and closer to this form of analytics the security landscape will be shifting away from looking at the bad to looking at the holistic network behaviours, what has changed, and most importantly, what is the risk.
While we continue to believe that storage will decrease in cost and processing will continue to increase to unprecedented levels, we need to remain vigilant from a policy perspective that we are interacting with data in a legal manner and that our activity is clearly documented. This will become more important as we move the math to the edges of our networks and further upstream to other networks. In our pursuit of security analytics we must also remind ourselves that our algorithms are producing constructs that influence our decisions, and that as these algorithms learn and modify themselves we must take ownership of them and place effective controls on their intelligence. This will be critical as we continue to balance the laws of values of a changing digital society marketed by an abundance of information.
Embracing new skill sets
With the appropriate policy framework, privacy controls and technology, this new era of analytics will open security analytics to a variety of other specialties, including behavioral scientists, mathematicians, cognitive scientists and linguists. Traditional security practitioners need not fear for their roles, as these new colleagues will bring a fresh new perspective to the threat landscape and the analytics process. As we ingest more data in an effort to more thoroughly understand the threat, the intent and the perpetrator, the behavioral scientists might bring a clearer understanding of the intent, the linguists might bring a more complete understanding of the subtleties of regional dialectal differences and the cognitive scientist might be able to comment on the motivations. To this end this new column of analytics offer the security community an exciting opportunity to understand the full scope of a threat and to make better informed decisions on the remedial actions to take.
Cybercrime costs the global economy about $445 billion every year, with the damage to business from the theft of intellectual property exceeding the $160 billion loss to individuals from hacking. Criminals are rapidly evolving their hacking techniques, and are attacking quickly, making timely security and fraud analytics more critical than ever. Research firm Gartner claims big data analytics will play a crucial role in detecting crime and security infractions. By 2016, more than 25 percent of global firms will adopt big data analytics for at least one security and fraud detection use case, up from current eight percent.
The fact is, big data isn’t going away any time soon. Combining big data analytics with security technologies yields a stronger defense posture. Big security analytics provide high-speed, automated analysis to bring network activity into clear focus to detect and stop threats, and shorten the time to remediation when attacks occur. Cyber analytics will be the only true way to ensure governments and organizations alike can remain secure in a connected world. Their future success will depend on the quality of their big data tools and the accuracy of their predictions.
Sheldon Shaw is the National Account Manager for Cyber Analytics, SAS Canada.