Using Predictive Analytics to Identify Cyber Security Risks
In today’s fast-moving, dynamic digital environment, there is no crystal ball that can tell you the form or target for the next cyber-attack. The IT product development cycle has become so fast and cantered on functionality that security is rarely in focus. Most developers assume that the layers upon which they build provide the necessary security. Unfortunately, the platforms upon which most of these systems have been built are porous, and attackers are actively looking to exploit the holes in these systems at all levels.
Since the form or morphology of these attacks can change so dramatically between iterations, CISOs must assume that some will succeed even as they continuously strengthen their defences and strive to handle the volume of alerts generated by their current tools. In fact, it is best that CISOs assume it’s a case of “when we get hacked, not if.”
Big data and predictive analytics show great promise when it comes to cyber defence because of their ability to transform massive amounts of data into actionable intelligence. Predictive indicators can identify new emergent risks before they result in significant losses and help your security staff deal with alert overload.
Today’s cyber criminals have learned that snatch-and-grab attacks, where they attempt to quickly steal large amounts of data from a network, are easily detected by network defences such as firewalls and anti-virus, which will effectively shut down or quarantine access. Therefore, criminals have evolved a more patient approach, constructing layered software that is designed to steal small fragments of data over a longer period of time.
Because many of these pieces of software are disguised as commonly used formats -- jpgs and pdfs for example -- they often can go undetected by many systems. The industry average before a network breach is detected stands at around 200 days. The result for the victim is death by a thousand cuts.
Predictive analytics can detect these data anomalies early on, looking for new patterns of data access, including hidden data that is being ‘exfiltrated’ into another format and/or encrypted to avoid detection. By finding these anomalous patterns, predictive analytics help reduce a company’s overall risk exposure by limiting the amount of time that it’s inside the network.
Managing Cyber Alerts Effectively
One of the most common issues that CISOs face in regards to cyber security is “alert fatigue,” which results from the sheer volume of the alerts generated by cyber defence systems during the course of a given day.
With predictive analytics, risks are evaluated and ranked on a sliding scale of importance. If suspicious or malicious behaviour is suspected, the analytics engine alerts the right people about the suspicious behaviour, ranking it from highest to lowest risk. Leveraging vast amounts of data, but processing it efficiently, ensures predictive analytics can provide real-time responses in contrast to older approaches that are time-consuming, inefficient and expensive.
Predictive analytics are not perfect, however, and the desire to go unobserved causes cyber criminals to mimic normal behaviour if possible. Therefore, managing the predictive analytics process requires an organization to handle the false positives and false negatives that are generated during the threat surveillance process.
On one hand, the system must have a very low tolerance for false negatives since missing active threats can lead to the disaster we’re trying to avoid. Conversely, they need to determine how many false positives have been received to ensure that neither the system nor the people are overburdened.
Alternatively, it cannot be too restrictive as to block out legitimate traffic, i.e. customer e-mail, etc. which can lead to reduction in profits or customer service. It is a balancing act, and how you manage the process is crucial to obtaining the best results.
With limited resources, organisations need to identify the most severe cases first by prioritizing alerts based on potential impact and then handling all alerts efficiently. One approach is to have levels of security analysts with different skill levels.
First level analysts should try and handle an alert in five minutes, otherwise escalate it to the experts who can distinguish a targeted attack from a generic attack. This way, critical resources are freed up so that organizations are only engaging the most valuable assets on the most important threats. Businesses must address both known and unknown (emergent) risks when developing a cyber defence program. Once risks become “known,” a standard form of defence should be constructed. Companies need to save their most skilled resources for discovering the “unknown risks” and defending against them.
Using predictive indicators to detect the unknown risk is incredibly challenging, but by assessing losses and anomalous behaviours, businesses, along with their partners, can use big data to solve big problems.
Bill Sweeney is Chief Technology Officer at BAE Systems.