Looking for trouble: How predictive analytics is transforming cybersecurity
Leading organizations recognize that stringent cybersecurity processes and strong infrastructure, while essential, are not enough to eliminate today’s disparate and ubiquitous threats. So they aim to use predictive analytics to identify and stop potential threats before they can wreak havoc. Some approaches that organizations are taking to root out potential threats include automated scanning of Internet chatter; development of predictive models through analysis of hacks and breaches; and systematic, continuous probing of their own defenses.
As some private and public sector organizations are discovering, the combination of advanced analytics and a red team approach – thinking like the enemy – can yield powerful insights.
Who’s getting to know you to get at you?
First created to test the security of military installations, red teams are used today to model a broad array of potential physical, social, and electronic attacks. A red team exercise involving a life sciences company offers an illustrative example of this approach in a cyber setting.
Like its industry counterparts, the company’s value resides in its intellectual property, specifically the talent and knowledge of its scientists. So, company leaders may want to determine which employees are likely to be targets of both state-sponsored and non-state attackers.
The red team could mine publicly available data in the same manner that a potential intruder would, searching across public information, the dark web, social media, and other sources. The process is likely to capture data both on possible attackers – people on the dark web talking about stealing pharmaceutical data, as well as the tools at their disposal – and employees at risk – company personnel who may be talking too much, whether on social media, in research papers, or at academic forums.
Such a process could identify employees who are giving out specific information about themselves and the research they are conducting. For example, a clinical director of a drug trial might be revealed to enjoy fishing and be a huge fan of the local professional football team. An enterprising attacker might fashion an email inviting the person to meet the team’s quarterback. One click on the invitation would download a virus, allowing the attacker to extract data from the director’s computer.
How to cut Big Data down to size
Some large federal government agencies have IT systems and networks comprising many millions of devices and endpoints that can generate billions of records a day – likely targets of a cyberattack. Extracting useful data on anomalies in such a scenario would require observing the operation and interaction of these nodes over a period of time. Many billions of records covering a 30-day period would need to be processed – in real time – to produce meaningful insights.
Before wading into that ocean of internal data, a red team would first turn its attention to information publicly available on the Internet. The exploration, which requires supercomputer number crunching, could be revealing. For example, an outside contractor might post on social media that he is involved in a research project with the agency. Agency employees might talk on social media with each other about working on something interesting. Through this process, the red team could identify the entities, devices, and people that the agency needs to focus its attention on.
Keys to taming the beast
The cyber threats are constant, and the signs revealing where they lie are buried in petabytes of data. So what is a good starting point for using predictive analytics to uncover them? Here are three considerations:
Get, and stay, focused. Staying ahead of threats begins with looking at the right data. A typical security information and event management (SIEM) solution can generate 10 alerts a day or 1,000, so it is important to establish a feasible level of monitoring. Also, analytics are not static. Once a baseline is set, the capability needs to be constantly tuned to an ever-changing environment.
Evaluate the organization’s capabilities. In past years, engineers who could configure, deploy, and troubleshoot systems were the most prized talent. Today, data scientists are in high demand, as even the most powerful analytical tools are of little value without people who know how to use them. Rather than being technical whizzes, these are people who understand the business and its risks, and can correlate and refine data to understand threatening patterns.
Get grounded in the business. Talented data scientists and beastly computers are essential elements in the cyber risk fighting arsenal. But knowing the business is no less important, because the people attacking the enterprise certainly do. If the target is an oil and gas company, intruders could be looking for engineering schematics or information on the cost of drilling rights. If it’s a company built on mergers and acquisitions (M&A), would-be investors may be probing to find out who the next M&A target is. If it’s a retailer, someone is eager to dissect the supplier strategy. A vital element of cyber defense, then, is understanding what enterprise assets are at risk and which ones are the highest priority for protection.
Strengthening security with analytics
Cyber threats will only grow in number, creativity, and potential to do damage. One of the leading ways to fight them is to flush out potential perpetrators before they breach defenses. Putting predictive analytics tools in the hands of business-oriented and risk-intelligent data scientists can better equip organizations to address cyber risks today and in the future.