Author(s): Mark Loucks, Posted on May 18th, 2017
It is hardly news to anyone that we now live in a world inundated with data. Perhaps no better illustrated in the corporate world than in the area of cyber security where staggering amounts of information are captured and scrutinized for threats. Networks and systems generate millions of logs and alerts every second, making the task of extracting information relevant to the detection and response of intrusion attempts an increasingly complex challenge.
Fortunately, with the advancement in Data Analysis technology (or Data Analytics) you have a powerful tool to support this task. Only algorithms, methods, and tools designed to process millions of information elements in milliseconds can help security teams be one-step ahead of cybercriminals. Here are seven concrete use cases where Data Analytics can make security smarter:
Social network analytics
Today, data analytic tools are used by marketing departments and business units to gauge the behavior and experience that consumers share in social networks. The same technology can be used to monitor different social networks for criminal activities. For example, offers to sell fake credit cards, access passwords and other information obtained illegally, as well as information leakage through careless or malicious employees. It is also common for inexperienced criminals to use their networks to boast about their deeds. A solution that monitors for keywords and phrases in different languages can trigger notification when such messages are shared.
Enterprise network analysis
Large organizations often use monitoring and event correlation systems (including SIEM – Security Information & Event Management). Such essential systems help detect attacks by collecting and normalizing log data and alerts from different platforms such as firewalls, IPS, routers, servers, and so on. They correlate these events to reduce false positives and improve the effectiveness of attack detection. Here is where incorporating an additional Data Intelligence feed to the system and correlating external factors will enhance identification and even predict threat activity.
Improve network security and performance
Network traffic analysis tools allows a company to establish what “normal” traffic behavior patterns are between different application systems and infrastructure. From this, models can be created to improve the performance or security of the architecture. As example, modeling the interaction of a user community and their systems to implement microssegmentation in the network and thereby reducing the surface of attack and adopting a Reduced Scope of Trust.
Identify Shadow IT
Identifying systems running outside the governance of the IT department (Shadow IT) is a real concern for IT managers and security administrators. Analyzing internal network traffic and Internet access points can identify cloud computing usage and services outside the company perimeter and assist in mapping Shadow IT resources.
It is common to use vulnerability scanning tools to identify downlevel or misconfigured systems that represent a vulnerability that can be exploited by several different types of threats. Imagine enhancing this by pairing it with the monitoring for abnormal network pattern behaviors that correspond or precede those exploits. An example is the identification of behaviors and accesses that indicate breach of security policies in the use of systems and company information.
Similarly, monitoring of traffic passing through the network may indicate policy compliance failures, design failures or deficiencies of controls. One example is the PCI / DSS certification, which aims to protect bearer credit card data. A common requirement in companies selling products and services via credit card and in financial institutions. PCI / DSS certified companies typically have a segmented certification scope, which isolates the systems that manipulate the card data from the others. Security intelligence can continuously monitor the presence of card data outside of this environment.
Intellectual Property Protection
Data Loss Prevention solutions monitor network traffic at strategic points, such as outbound to the Internet or near e-mail servers, to identify transmission of sensitive data outside the perimeter of the corporate network. A Security Intelligence solution can serve this role with the benefit of behavioral or keyword-driven analysis and monitoring models that enable you to identify threats related to loss of sensitive business information.
Certainly, the above list of Analytics Use Cases for the cybersecurity world is not exhaustive, but it does identify areas where the implementation can produce fruitful results. With growing threats, increasingly complex networks and exponential data growth, turning to machine learning and cyber analytic models is the edge needed to put yourself ahead of the cybercriminals.
About the Author
Mark Loucks is a senior data scientist with Unisys and serves as Principal Practice Director for our Cyber Security Intelligence group. He also has responsibility as a member of Unisys Advanced Data Analytics leadership team to promote the advancement of data intelligence and automation to solve some of our client’s most difficult problems. Read all Posts