Cyber-detectives chase cyber-criminals armed with Big Data
by Kishore Jethanandani
Cyber-security in enterprises is caught in a dangerous time warp—the long held assumption that invaluable information assets of companies can be cordoned off within a perimeter, protected by firewalls, no longer holds. The perimeter is porous with its countless access points available to a mobile and distributed workforce, and partners’ networks, with remote access rights to corporate data via the cloud.
Mobile endpoints and their use of the cloud for sharing corporate data have been found to be the most vulnerable conduit that cyber-criminals exploit for launching the most sophisticated attacks (advanced persistent threats) intended to steal intellectual property. Poneman Institute’s survey of cyber-security attacks, over twenty four months, found that 71 percent of companies reported that endpoint security risks are the most difficult to mitigate. The use of multiple mobile devices to access the corporate network was reported to be the highest risk with 60 percent reporting so. Another 50 percent considered the use of personal mobile devices for work related activity to be the highest risk. The second most important class of IT risks was considered to be thirty-party cloud applications with 66 percent reporting so. The third most important IT risk of greatest concern was reported to be Advanced Persistent threats.
In an environment of pervasive vulnerabilities, enterprises are learning to remain vigilant about anomalous behavior pointing to an impending attack from criminals. “Behavioral patterns that do not conform to the normal rhythm of daily activity, often concurrent with large volumes of traffic, are the hallmarks of a cyber-criminal,” Dr. Vincent Berk, CEO and co-founder of Flowtraq, a Big Data cyber-security firm that specializes in identifying behavioral patterns of cyber-criminals, told us. “A tell-tale sign of an imminent cyber attack is unexpected network reconnaissance activity,” he informed us. Human beings need to correlate several clues emerging from the data analysis before drawing conclusions because criminals learn new ways to evade surveillance.
Enterprises now recognize the importance of learning to recognize the “fingerprints” of cyber-criminals from their behavior. A 2014 survey by PriceWaterHouseCooper found that 20 percent of the respondents see security information and event management tools as a priority and an equal number event correlation as a priority. These technologies help to recognize behavioral patterns of cyber-criminals.
“Scalability of Big Data solutions to identify behavior of cyber-criminals is the most daunting challenge.” Dr. Vincent Berk told us. “We extract data from routers and switches anywhere in the pathway of data flows in and out of the extended enterprise,” he explained to us. “The fluidity of enterprise networks today with increasing virtualization and recourse to the cloud makes it challenging to track them,” he informed us. “Additionally, mergers and acquisitions add to the complexity as more routers and switches have to be identified and monitored,” he explained to us.
Dr. Berk underscored the importance of avoiding false positives which could lead to denial of access to legitimate users of the network and interruption of business activity. “Ideally, we want to monitor at a more granular level, including the patterns of activity on each device in use, and any departures from norm to avoid false positives,” he told us. The filter of human intelligence is still needed to isolate false positives.
“Granular monitoring is more accurate and has uncovered sophisticated intruders who hide inside virtualized private networks (VPNs) or encrypted data flows,” Dr. Berk revealed to us. Often, these sophisticated attackers have been there for years unnoticed. “The VPNs and the encryption are not cracked but the data is analyzed to understand why they are in the network,” Dr. Berk explained to us.
Cyber-security will increasingly be a battle of wits between intruders and the victims. Big Data analysis notwithstanding, cyber-criminals will find new ways to elude their hunters. The data analysis will provide clues about the ever changing methods used by cyber-criminals and means to guard against their attacks. The quality of human intelligence on either side will determine who wins.