Cyber Security Deja Vu

Recently while thinking about the cyber security challenges we face, one couldn't avoid thinking this sounds like a problem solved before. Prior to 9-11, our country faced challenges with compartmentalization and lack of situational awareness. America's enemies exploited gaps in defenses that included compartmentalization between agencies and even alerts based on a single vector of information within an agency. The 9-11 report uncovered the fact that the government possessed enough information to piece together the threat to our homeland but failed to properly correlate the data to paint the whole picture. Based on the failures on 9-11, America created a data lake upon which the government can correlate data to avoid the failures that led to 9-11. The government saved billions of dollars on licensing by developing Government Open Source Software that interoperated on a common platform. Not only did the interoperability improve but we actually saved billions on software licensing.

When looking at cyber security, there exist many parallels to the challenges faced by physical threats before 9-11. Cyber Security addresses the Confidentiality, Integrity, and Availability (CIA) of information systems from threats both outside the organization's boundaries, inside the boundaries and even from insider threats. Individuals take mobile devices outside the boundary with data that can damage the enterprise if lost. Often one cannot easily distinguish the good actors using the information system from the bad actors trying to take it down or steal data. Enemies also innovate so defenses that worked years ago may not be effective today. In the recent Experian breach, hackers started the incursion a mere 2.5 days after the struts II vulnerability hit the streets and had access to compromised data over two months later. Think through the parallels that exist to physical threats against our country and our operations outside our boarders and to the people within the boarders

.

Today most security tools deploy sensors with advanced signatures to detect threats. These sensors only act on the data they see and often attackers know the signatures so can either barrage them with noise or work around them. Also, with the current setup one finds it hard when an attack is understood to go back and replay those signatures to see where these attacks occurred retroactively.

Big Data while relatively absent from Cyber Security can be used effectively to uncover similar threats to businesses such as fraud or even opportunities. Insurance and financial services companies reduce fraudulent payments in almost real time using big data. Businesses find that the more data they collect, the more insight they unlock. They can identify spending habits thus identifying customers who most likely would purchase additional products based on their spending habits and even when they buy or via what medium. eBusinesses know that what sells on a smartphone at 2am isn't the same as what sells on a computer at 8pm and even then extreme cold or precipitation impacts these habits. Businesses only establish these patterns by collecting data, creating relationships and identifying patterns. One cannot do this using alerts but only by indexing the real data.

If businesses can get so much valuable information from big data, why wouldn't they also use it for cyber security to identify abnormal patterns. Some may point out use of big data concepts around logs but has any sophisticated attack been thwarted by log data?

Unlike log data, the real data contains anomalies that can unlock patterns to better identify attackers. Typically during breaches one experiences unusual data flows, authentication patterns, differing mix of protocols from standard operations, DNS activity, and configuration changes to disable security features or install malware. One also sees these lots of similar activity during monthly patch cycles or application deployments. Today, because cyber lacks the big data analytics, cyber analysts often cannot distinguish between normal and abnormal but by using big data analytics one could distinguish the two relatively easily. This would also automatically tailor the cyber patterns automatically to each company as the patterns come from the data so different companies will show different patterns of normal.

Whichever firm comes up with the approach to use big data in cyber will transform the security industry. One can only hope this happens before most of our national intellectual property winds up in the possession of competitors.