In cyber security, the use of analytics is a relatively young area. During the RSA Conference 2017 AsiaPacific and Japan, the Chief Technology Officer at Symantec, Dr Hugh Thompson had spoken to the crowd about analytics. His message to the cyber security community was simple, understand the full range of possibilities with analytics. We figured we would get started on that by sharing some potential crossover lessons from the private sector that could be applied to cyber security as a practice. This is to start an informed brainstorming session.
Business Context of Analytics
Analytics has been an integral part of business for a long time, one could argue since its inception. This is commonly referred to as business intelligence. However, it really is only in the last 23 years, since the internet took a turn towards commercialization, that ongoing business intelligence systems beyond finance became an affordable practice. However the collection, integration, analysis, and presentation of data is nothing new for businesses. Prior to the boom of information technology, processes and systems had been in place to support business intelligence. They were just a lot more expensive and slower. Over the years business intelligence gave businesses the ability to make insightful decisions, optimize processes, improve efficiency, create new business models, identify market trends, and predict market shifts. The practices are simple, which include: data mining, analytical processing, querying, and reporting.
The benefits of analytics for business have been amazing but that’s only because there was already a strong practice of it before hand. Information technology has just made analytics more accessible and efficient. So there’s been a lot more creativity here that’s built on decades of experience. Currently practice for business intelligence includes developing deep insights, identifying root causes, assessing market competition, and managing risk. All sound simple but each area involves a wealth of work. Cyber security on the other hand faces some challenges when applying analytics.
Analytics in Cyber Security
Data analysis in cyber security is not necessarily new. Log data has often been the cornerstone of post-event analysis. With log data cyber security researchers are able to analyze system events and determine what exactly happened. The current state of analytics in cyber security is using log data to determine a baseline user and network behavior, then tracking deviations from that behavior. This could be called humanistic AI since it’s using machine learning to aid a human expert in making a security decision. However, this is the most advanced of cyber security arrangements. What if the boundary of what insights we gain could be made beyond the incident level? This is what Dr. Thompson meant when he discussed analytics at the RSA Conference.
Merging Two Worlds
In the business world there’s a constant use of analytics to gain deeper understanding of internal and external environments, conditions, and context so better decisions can be made. The key link between business intelligence and cyber security is in the convergence of strategic goals. For cyber security, this will mean exploring beyond just incident prevention and response. Here are just a few areas where expanding analytics beyond incident response could help improve cyber security.
When trying to extract insights with business intelligence and log data, one useful question to ask is: what are the business and market conditions during an incident? This question forces the cyber security expert to examine the network and business in another light beyond what is in the log files. This is likely something the cyber security expert would have to get from either marketing or finance. By building an analysis framework that integrates these various sets of data together would provide information of things such as knowing what market conditions cause hackers to try to attack businesses.
Security Risk Profiling
Companies grow and contract, it’s important to understand how insiders operate during these periods. The beauty of analytics is the ability to provide both a historical and live view of behavior overtime. The key question to ask here: Are insiders practicing good security during both periods of growth and contraction? As work ramps up during growth, insiders may look for shortcuts or just be outright more negligent. This presents a people-based vulnerability which may be visible to a malicious manager or employee.
Beyond security incident reports, cyber security experts need to integrate their data with business intelligence systems. By applying the security perspective to market analysis, operational efficiency, and process analysis, managers will gain more appreciation for the value of risk mitigation that cyber security provides in their organizations.
The cyber security sector does have a long way to go with using analytics in a more wider context. The advances made with incident prevention and response have been amazing over the years. However with more data and information available now security can be analyzed beyond log data alone. What ways can you think of how the cyber security industry can leverage analytics for better security outcomes?