In November 2013 hackers who had earlier broken into the servers of the Target retail chain uploaded malware to allow credit card data they wanted to steal to be forwarded outside the company.
According to Bloomberg News, Target’s new FireEye detection software discovered the malware and sent an alert to security teams.
What should have been a triumph of analytics evapourated as this and other alerts were apparently ignored. Meanwhile tens of millions of names, addresses, phone numbers and payment card data flowed out of the retailer.
CISOs have known for some time that they need technology to help them fight attackers, who have time and money on their side. Yet despite a huge effort in recent years by the industry progress has been slow — sometimes, as in the case of Target, impeded by people.
As a former FBI agent told a Toronto conference last month, it’s a recurring theme in many large data breaches: The warnings are there but somehow they don’t get seen and acted on.
“Although analytics is the future we’re long way from having real ability to do useful analytics for security,” says John Kindervag, enterprise security analyst at Forrester Research.
Others are more hopeful. In a recent interview Scott Zoldi, the newly-promoted chief analytics officer at the predictive analytics company FICO (Fair Isaac Corporation), talked about how the firm is leveraging its fraud detection technology into an upcoming cybersecurity solution to help improve protection.
“One of the challenges in cyber is the data is constantly changing, the attacks are constantly morphing and there is a need for analytics to learn on the fly,” he said. “We generally call that streaming analytics — which essentially means your not going to build a model on last year’s threat data because you know that attack patterns are changing.”
So the stream of data (which includes Netflow information, DNS information, DHCP changes, ICMP records etc.) builds up what’s called a transaction behavioral profile that describe typical use of a device or traffic out of a device, such as the times of the day when it’s active, what sites it goes to and in what countries. From that the software can see a deviation in the pattern.
The analytics build a model to produce a score that infosec pros can use for making decisions — some of which can be automated.
FICO’s upcoming cybersecurity solution will add deep packet inspection from other vendors’ solutions to create the score.
“There is a move in the industry and by FICO and to make these some of these analytics a lot more easy for a business or technology owner who may not have a set of data scientists to work with,” Zolti added — for example there’s an automated modeler in FICO’s Decision Management suite that lets a user point at data and tags around transactions, push a button and it generates a model.
In theory, security information and event management (SIEM) suites, as the funnels through which a lot of log, flow and packet data pour, and intrusion detection solutions should be a great source of analytics and automation. Instead, the false positives they sometimes generate lull IT security teams into a doze.
Case in point: Target.
Forrester’s Kindervag argues the solution is a more automated threat response process based on developing a set of cyber “rules of engagement” that will empower security and risk management professional teams to act more quickly to stop data breaches.
He co-authored a report a year ago that suggests analytics and automation can work hand in hand.
First the organization has to create a policy statement of its security needs. The security team translates that into a set of rules or configurations that can by used by an analytics engine processing device and network data. The engine (or, more accurately, software tools) generate a risk score the security team uses to automate a response.
For example, if the confidence level on the score is high and the potential impact level is also high, the declared security policy should dictate that security controls stop or automatically block suspicious traffic.
The business should determine the scale and thresholds that best fit their risk profile and appetite, the report adds.
“The only way to protect the exfiltration of our data by hackers and cybercriminals is to provide our security teams with a set of rules that will incentivize automated response,” it concludes.