Improving #Cyber Security with #Analytics and #Automation

While cyber security grows more complex by the day, some aspects of it are all too clear. The number of threats to large organisations have spiked in recent years, as have the number of bad actors who create them. It is now evident that no company is safe. However, the majority of organisations across the globe are still ill-prepared to handle a sophisticated modern cyber attack. Cyber security professionals are now turning to analytics and automation to try and deal with the problem.

Today, IT is up against advanced persistent threats (APTs). The intention of an APT attack is to steal data rather than to cause damage to the network or organisation. Many of these attacks are being spearheaded by vast hordes of automated bots rather than human hackers.

Simply put, IT personnel are no match for such intensive, sustained attacks. Not only are humans incapable of keeping up with the sheer volume of incoming threats, but their ability to make quick decisions to manually address such an attack is inherently inefficient.  As a result, data breaches are already becoming increasingly commonplace. In 2016 alone, half a billion personal records were stolen or lost.

The emergence of The Internet of Things (IoT) only serves to further increase the demand for improved cyber security as millions more devices come online each year.  Writing for The New York Times, Zeynep Tufekci (self described “Techno-sociologist”), highlighted the sorts of risks we may see emerge as more products and appliances come with in-built connectivity.

“Connecting everyday objects introduces new risks if done at mass scale. Take a ‘smart’ refrigerator for example. If a single fridge malfunctions, it’s a hassle. However, if the fridge’s computer is connected to its motor, a software bug or hack could “brick” millions of them all at once — turning them into plastic pantries with heavy doors,” she said.

Could analytics and automation rescue cyber security from these mounting challenges?

A different approach to cyber security

Traditional approaches to addressing cyber attacks employ “threat signatures” based on patterns of previous attacks. But such techniques are of little help when it comes to preventing new types of attacks as James Packer, Cyber Security Professional and Founder of the London Chapter of ISC2, explained:

“Threat signatures are a very effective mechanism to identify and protect against 99% of attacks. The limitations of using signature based detection however comes with the remaining 1%; zero-day exploits. Threat signatures are created using existing knowledge of how particular attacks are executed. With zero-day exploits, this knowledge is absent i.e. they exploit newly discovered vulnerabilities in unknown ways. When sole reliance is placed on having an awareness of a type of an attack, without this awareness, detection and prevention controls are entirely ineffective,” he said.

A promising solution that is currently being explored is to use analytics to predict and screen novel threats and then deploy automated systems to take corrective actions. While we are still a long way off the emergence of fully automated cyber security systems, James pointed to the clear signs of progress in this field.

“Security operations centres (SOCs) across the globe are increasingly tuning technology in line with possible attack scenarios to automate and streamline the incident response process. Furthermore, advanced analytics enables better decision making in security. Using machine learning to analyse attack trends can highlight particular areas of weakness that may have been previously unrecognisable.

“With too much data being produced for humans to interpret, training computers to understand patterns aids in detecting attacks such as “low-and-slow” attacks – those which are both subtle and prolonged,” he said.

The same software and modeling approaches used to identify credit card fraud (a form of anomaly detection) is now being applied to behaviors in cybersecurity attacks. Unlike threat signatures, these tools offer some protection against newly-emerging threats.

Currently, the major limitation of such tools is the investment required in terms of capital and resources. It is an expensive process to build tools which are tailored to the environment they protect. Furthermore, the vendors which are making these products are still in their infancy.

“Most of the major providers such as Tenable and FireEye were founded in the mid 00’s which is young in terms of software houses. This is reflected in their offerings – they lack full-feature sets that link the products to the business processes that they support,” said James.

Mass consolidation, mergers, and acquisitions are likely to improve the state of the security tooling market over the coming years.

“We have already seen big companies snapping up boutique products and ingesting them into their own portfolios. Microsoft’s acquisition of Hexadite and Cisco’s acquisition of CloudLock are two notable examples,” said James.

The future cyber security landscape

Of course, technology will never be a panacea for cyber security problems. Even though automated actions can be undertaken, in most cases organisations will want to investigate problems identified by analytics before taking corrective action. The investigation requires research, testing, and possibly even interviews for internal threats – all of which involve human experts.

The most effective cyber security environments will inevitably be complex hybrids of human and machine intelligence. Interactions between analytics-driven alerts, automated actions and human inputs will be crucial for effective security.

“It is human attackers that gave rise to the need to have human defenders; until the point in time comes when a machine can truly think like a human, I believe there will always be the need for human interaction. And when the day that machines can think like a human does come, I think we will have much greater concerns than job losses!” said James.

Organisations in both public and private sectors are now using analytics and, to a lesser degree, automation to improve their security systems. While there may be some doubt about when such technologies will fully mature,  their necessity becomes clearer with every major cyber attack.