In the past, security breaches were viewed as a single event occurring at a certain point in time. However, this is no longer the case. Security threats now rarely occur as singular events, and a new kind of attack is on the rise: Advanced Persistent Threats (APTs). An APT is a network attack in which an unauthorized person or device gains access to a network and, instead of immediately stealing data or damaging infrastructure, stays there for a long period of time, remaining undetected. It could even occur from a device or person with proper security clearance, thus appearing as normal activity. It is much harder to detect these attacks as they are typically small in scope and focus on very specific targets (usually in nontechnical departments where security threats are less likely to be noticed or reported), and occur over a period of weeks or even months.
In 2014, RSA, a cybersecurity company was called into the U.S. government’s Office of Personnel Management to fix a low-level problem. Upon arrival, RSA discovered that there were intruders in the company’s network, and they had been there for over 6 months routinely stealing data in an organized yet inconspicuous manner. If not for the coincidental security check from RSA, the organization would have never noticed the breach. Ironically, the door into the system was unwittingly opened by an employee who accidentally downloaded malware from a spearphishing attack, much like the google docs cyber attack that took place in May. The employee was quickly informed and asked to change his password: he and his company thought the breach ended there, but it continued for months undetected.
As security breaches increase in complexity and become harder to see, organizations must rely on analytics to uncover new insights, make intelligent decisions, and prevent these attacks before they happen. Fortunately, with the rise of big data analytics, companies now have the tools to craft a more holistic view of their networks, shifting from examining singular events to monitoring their entire timeline of activity and selecting various snapshots to analyze further.
This technology is already being developed in ways that are directly marketable to large enterprises. Subscription-based data center analytics tools can now provide data center visibility and insight at unprecedented levels of specificity, with capabilities for application behavior-based analytics and monitoring of behavior deviations in the system. This is made possible using big data technologies which store data, provide real time analysis, and extract actionable insights which can then be used in making intelligent strategic decisions.
With such capabilities, enterprises can now examine network activity before, during, and after a security breach in order to gain new insights. One possible application of these insights is the benchmarking of network activity. If enterprises can leverage analytics to establish activity baselines for every device or IP address on their network, this can be used to track outliers, spot odd trends, and uncover new insights.
While these insights, on their own, could realize additional value for the company, they could also be analyzed in relation to security breaches or attacks as a preventive measure for the future. For example, if the Office of Personnel Management had enough data on network activity to establish baselines for internet traffic for every user in their system, this would have been enough to flag the intruders who were transferring out gigabytes of data: a stark deviation in behavior, as most employees would only have to send a few megabytes of data each month. Analytics could also identify other key activities occurring at times of high internet traffic. High traffic that does not correspond to any known organizational activities could also be a red flag. If data analytics reveal consistent server activity at a time when employees should not be active, such as in the middle of the night on Saturdays, this could raise flags and preempt increased defensive measures. If these activity times correlate with significant events in other time zones around the world, this could also help narrow down potential suspects.
If used properly, analytics can shed more light on cyber attacks, and organizations can use that same data to help predict and prevent future attacks. We might not yet have the ability to fully eliminate the risk of security breaches, but with the help of big data analytics we can stay one step ahead of the attackers which for now, is a step in the right direction.