Sergey Nivens - Fotolia
In recent years, massive cyberattacks on companies such as Target, Sony and Anthem resulted in gargantuan amounts of stolen personal data and intellectual property, as have attacks on public institutions and government organizations. As these online attacks continue to show their potentially debilitating effects on commercial activities, companies have been forced to escalate cybersecurity risk management activities.
The three most frequently attacked industries are the public sector, information and financial services industries, according to the 2015 Verizon Data Breach Report. Of the 79,790 security incidents that were evaluated as part of the report's research, an astounding 50,315 took place in the public sector. The report cautions the reader to not give "much credence to the huge number for the public sector," because "… they handle a high volume of incidents (many of which fall under regulatory reporting requirements)." But even if only a small portion of those incidents -- 303 -- resulted in confirmed data loss, the impact associated with the time and effort to abide by regulations for incident reporting, threat assessment and follow-through no doubt created a significant burden on staff.
When there is a confirmed case of data exfiltration, the costs can rapidly spiral out of control. For example, consider the 2015 breaches of the U.S. Office of Personnel Management (OPM), in which records for more than 21 million individuals were stolen. Months later, the costs for remediation are still unclear, with estimates ranging from $133 million to as much as $330 million through fiscal year 2018. In response to the ongoing massive cybersecurity attacks on both commercial and public institutions, the U.S. Federal Government is passing legislation to offer legal liability protection for companies that share corporate cybersecurity data with federal investigators.
There is tremendous upside potential to developing better methods for identifying imminent cyberattacks and preventing data breaches. There are many points of vulnerability within an organization; but some of the more critical tasks for optimal prevention of exposure include identifying indicators of compromise, preventing phishing attacks and reducing exploitation of known vulnerabilities.
In each of these cases, analytics applications can be deployed to help analyze and inoculate against threats and improve cyberthreat protection.
Identify indicators of compromise
Identifying indicators of compromise requires monitoring network activities and access behaviors to identify known and suspicious patterns of access indicative of a breach. This helps protect against denial-of-service attacks, data leakage and disclosure, website defacement or modification and cyber espionage or data extraction detection. In larger organizations, there are many network access points that may be targeted. Cybersecurity risk management and analysis efforts must scan data streams comprising network activity from all potential points of failure.
These prevention utilities are composed of two types of cybersecurity risk analyses. The first analyzes historical data to identify the behavior patterns prior to a known cybersecurity event. The second part provides applications that use the discovered behavior patterns as input to scan ongoing network logs to match any patterns of suspicious activity. In essence, cybersecurity analytics applications must consume massive amounts of data, from many different high-speed streams. This will include a wide variety of structures, formats and content, including web transaction logs, DNS attacks, NetFlow, alerts, configuration data, email messages that are embedded with viruses and worms, images and social networking data.
Prevent phishing attacks
Phishing has evolved from simple email messages demanding that the reader take immediate action, to those directing the reader to a fake Web page doctored to look like a reputable institution, such as a bank or e-commerce company. Modern phishing attacks are now intended to install malware within the firewall to establish a launch point for more insidious corporate espionage and data exfiltration.
One mode of prevention is preemptive detection of phishing messages. A good method to reduce the impacts of phishing is to apply text analytics to incoming email messages. By identifying text patterns that appear frequently in phishing messages, companies can use predictive analysis to scan incoming email to determine each message's probability of being a phishing email.
Reduce exploitation of known vulnerabilities
Another surprising revelation from the Verizon Data Breach Report was that in a significant number of system exploitations, a software "patch had been available for months prior to the breach." This means that even though a vulnerability was identified and a fix was developed, the attacked organizations had not installed the patch.
Reducing exploitations associated with known vulnerabilities should be straightforward. The combination of a massive number of deployed system instances across the enterprise, coupled with the absence of a comprehensive view of the current systems' security patch statuses is a big impediment to properly applying patches in a timely manner.
To address this risk, companies can devise a data warehouse designed to report on and facilitate patch management. Timely reports that identify where known risks have not been patched can trigger remediation tasks and reduce exposure.
These are just three examples where reporting and analytics tools can be used to devise processes to assess and consequently manage cybersecurity risk. Whether it's using querying and reporting tools to reflect the status of known vulnerabilities or using analytical models for breach prediction, cybersecurity risk management analytics offer immediate value by identifying emerging patterns of suspicious behavior.
Learn about the Senate's passage of the controversial Cybersecurity Information Sharing Act, why ROBO backup is necessary for corporate data protection and how CIOs might be responsible for lack of cybersecurity awareness.