Countering Cyber Attacks with Big Data and Analytics

Countering Cyber Attacks with Big Data and Analytics

June 2015

Frost & Sullivan Analysis by

Sandy Borthick

Big Data & Analytics (BDA)

Countering Cyber Attacks with Big Data and Analytics

Table of Contents

Executive Summary ... 4

Introduction ... 5

Why Is Enterprise Security So Complicated? ... 6

How Can Big Data and Analytics Be Used to Improve Enterprise Security? ... 7

Big Data and Analytic Technologies for Heterogeneous Data ... 8

Data-Oriented Challenges in Enterprise Security ... 10

Improving Threat and Vulnerability Intelligence ... 11

Next Steps for Buyers and Sellers ... 17

The Last Word ... 18

List of Figures

Exhibit 2: Common Enterprise Security Controls and Their Vulnerabilities ... 6

Exhibit 3: Simplified Big Data Analytics Reference Architecture ... 9

Exhibit 4: STIX Nodes and Edges ... 12

Exhibit 5: STIX Utilization for Threat Assessment and Mitigation ... 13

Exhibit 6: Solutionary’s ActiveGuard Platform ... 14

Exhibit 7: Recorded Future’s Event Processing ... 15

Countering Cyber Attacks with Big Data and Analytics

Executive Summary

Organizations are challenged today as never before to protect their information assets, as well as the underlying networks and services that gather, store, process, and transmit this information. The same better, faster, cheaper information and communication technologies (ICT) that promise to make organizations more successful also present new means, motive, and opportunity to those who would steal information and use it for their own purposes. The most malicious actors are laser-focused on expanding and monetizing their hacking exploits; while legitimate organizations need to balance their security concerns among their other important objectives.

Most organizations deal with attacks, for the most part successfully, on a number of fronts. For example, they manage end user access to applications and data stores, with authentication and authorization controls. Networks are secured by virtue of tunneling and encryption protocols, and through the use of firewalls, gateways and intrusion detection systems. Many large enterprises also have built, or contracted with service providers to operate, 24/7 security operations centers (SOCs), equipped with security information and event management systems (SIEMS), and manned by trained personnel.

Unfortunately, current security solutions are simply not sufficient to protect organizations, especially from cyber-attacks based on advanced persistent threats (APTs). These attacks are typically triggered months after hackers compromise legacy security systems, infiltrate corporate networks and gradually gather the credentials they need to steal the target data.

Meanwhile, well-meaning industry associations and government regulators have muddied the waters, issuing policies and compliance certifications that assuage stakeholder concerns without actually stopping these high-profile data breaches. As disturbing as it is to consider how easily existing vulnerabilities continue to be exploited, and how much information has already been stolen, there is every reason to hope that advancements in ICT can become part of the security solution, rather than another vector subject to attack.

For example, as shown in Exhibit 1, modern database technologies (Big Data) and advanced analytics offer the same compelling value proposition for security as they do for other business applications. Using these new solutions to gather more and better data about threats and vulnerabilities, and subjecting this data to more advanced analytics, will enable security practitioners to find new ways to protect and defend their corporate information assets.

Exhibit 1: Big Data & Analytics Basic Value Proposition

As the corollary indicates, however, organizations will need more than new BDA-enabled tools— they will need to stop treating security as a stand-alone function, and adjust business practices accordingly. This report sketches the scope of today’s security challenges, and the ways in which BDA capabilities can improve current systems, especially with regard to improved threat and vulnerability intelligence. Buyers and sellers of security products and services will benefit from this report, as well as those with a more general interest in the security use cases for Big Data and analytics.

Introduction

In 2012, Robert Mueller, who was then the director of the US Federal Bureau of Investigation, told security conference attendees that cyber criminals pose as significant a threat as cyber terrorists, stressing that, “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.”2

Since then, cyber criminals have been stealing massive amounts of consumer data from a variety of organizations, and now those thefts are beginning to pay off. For example, thieves recently grabbed $ billion in tax refunds by filing fraudulent income tax returns with the US Internal Revenue Service. To make the scam work, IRS Commissioner John Koskinen said the thieves combined standard identity data with the answers to security questions or other “out of wallet” information, which had likely been retrieved from public Web sites and social media. This combination allowed the thieves to impersonate real taxpayers, download copies of their prior tax returns using an IRS service designed for this purpose, and file the fraudulent returns.3

While the IRS noted that only about of the estimated million prior tax return downloads

were fraudulent, and that an investigation is underway, this event signals a troubling and costly escalation in the impact of cyber-attacks. No longer can breached organizations simply patch their vulnerabilities, apologize for the inconvenience, and make it up to victims with free credit monitoring. Now they must anticipate cyber-attacks that will extract cash.

The implication is clear: organizations must improve their security. But what exactly does that mean, and how exactly ought they to proceed? As always, the answer is deceptively simple: a combination of better technology and better business processes. The following sections of this report explain why

1 _{Please note that the insights and opinions expressed in this assessment are those of Frost & Sullivan and have been}

developed through the Frost & Sullivan research and analysis process. These expressed insights and opinions do not necessarily reflect the views of the company executives interviewed.

2 _{Reported by CNN Money on March 2, 2012 and available here:}

http://money.cnn.com/2012/03/02/technology/fbi_cybersecurity/index.htm?iid=EL

3 _{Reported by Reuters on May 26, 2015 and available online here:}

current vulnerabilities are so intractable, and the extent to which evolving applications of Big Data and analytics (BDA) will be able to help.

Why Is Enterprise Security So Complicated?

Most large organizations have a defense-in-depth policy; that is, they use multiple security systems and processes throughout their IT infrastructure to thwart inappropriate access to their informational assets. Many have a C-level security officer or director, but the management of these security systems and practices is typically the responsibility of the pertinent functional silos. For example, the facilities department handles physical security, the network department handles network security, the system and database administrators handle application and database security, and the human resource department is responsible for training end users on security best practices. In the event of a data breach, the finance, legal and public relations departments get involved to manage the impact on the organization’s customers, shareholders, and other affected parties. After the breach, a forensic investigation is typically undertaken (or contracted) at the C-level, to determine the attack specifics and recommend improved systems and procedures.

If each department is diligently focused on what it does best, how is it that these massive data thefts continue? Certainly, a big part of the problem has to do with keeping all the existing systems updated with the latest software and content (e.g., proper access permissions and levels of authorization for internal users, current subnet and proxy configurations, blacklists of known attackers); as well as monitoring and reacting to anomalous database and network traffic; and making sure that end users are frequently reminded to keep up their end of the protection (e.g., password integrity, file-sharing and remote-work hygiene). Exhibit 2 summarizes some of the capabilities and vulnerabilities associated with commonly used enterprise security controls.

Exhibit 2: Common Enterprise Security Controls and Their Vulnerabilities

Source: Frost & Sullivan

Even though organizations strive mightily to maintain their security systems and process controls at their optimum levels of currency and effectiveness, the overall security of the organization’s

Examples of Security Controls

User level – access, authentication,

encryption

Network level – subnets,tunnels,

hashing, encryption, firewalls, gateways, proxies

Application level – access,

authentication, authorization

Data level – hashing, masking,

tokenization, encryption

Examples of Vulnerabilities

User level – password and

encryption weaknesses, unsafe practices

Network level – Man-in-the-middle,

traffic injection, denial of service

Application level – out-of-date or

incomplete controls, buffer overflows

Data level – weak orbreakable