We all know (and have probably read an article like this) about how costly data breaches can be, and unfortunately there’s a steady supply of major hacks for us to cite. HBO, Equifax, Deloitte — the list will no doubt be added to in the coming days and weeks. But what can be done to change the narrative?
Cybersecurity professionals are doing incredibly valuable work to help us defend against the many threats out there, but the incremental improvement of existing techniques can only get us so far; a fundamental shift of approach is needed if we ever hope to stop the incidents and breaches that plague us today. Here we look at how we could harness the latest technology to detect threats earlier than ever before, allowing us to put the right defenses in place before hackers even strike.
The Threat Detection Challenge
Threat detection techniques have evolved considerably over the years; for a long time, signature-based technologies were standard, and they are still in widespread use. However, that methodology has a severe limitation in that we can only recognize known malware, so new versions easily slip through the net. Behavior analysis is often touted as the next big thing, but that too has its issues.
Yes, solutions that recognize attacks by first baselining normal network activity (known as ‘User and Entity Behavior Analytics’) can play an important role, but we cannot rely on them completely. For a start, there’s no guarantee that you weren’t already infected when you set up those baselines; Verizon’s security research found that more than 50% of data breaches in 2016 went undetected for months. And even those algorithms which instead use malware behavioral models can be fooled by the latest sophisticated strains, that morph in unpredictable ways.
It’s clear then that we need to be less reactive and more proactive when it comes to threat detection. If we can’t rely on spotting malicious code as it comes into contact with our system, then we need to find out where hackers are going to target, then harden those areas to stop them getting inside. What if by analyzing the wider cybersecurity climate, we could identify potential attacks before they even occur? That’s where predictive analytics comes in.
What Is Predictive Analytics?
Predictive analytics, as the name suggests, is all about making predictions about the future. By studying the data we have available, we can uncover patterns and relationships that allow us to determine what is likely to happen (what a customer might want for example), an ability that is incredibly useful in many different fields. Indeed it is already a well-established technique when it comes to the recommendation systems you find on Amazon and Netflix, who estimate that 75% of viewer activity is recommendation-driven.
And as the focus has shifted in the last few years from the capture and storage of big data to what we can actually do with it, other industries are taking notice too. The fact that 43% of US healthcare organizations are now using predictive analytics shows how it can be implemented even with a challenging dataset, while partnerships between IBM and law enforcement to develop ‘predictive policing’ provide a useful analogy of what we could achieve in cybersecurity — the idea being that officer patrol routes are informed by where crimes are predicted to occur. Indeed, one of the only positives about the prevalence of cybercrime is that there is a huge amount of available data out there; if we can learn to use that data to our advantage, we can stay one step ahead by forecasting the threats we are likely to face.
Threat Forecasting
The key thing to remember with predictive analytics is that it’s not only about using what happened in the past as a guide; what’s happening now is just as important. Other cybersecurity techniques may also provide threat predictions, but these predictions are based purely on historical data — certainly not ideal in this rapidly changing climate. It is only by combining the knowledge elements you have collected with up-to-date intelligence about threats in the wild that we can really achieve accurate forecasting.
You can of course gather some of that intelligence by analyzing your own incoming network connections, but that only provides a limited picture. We also need information from third-party sources, perhaps from a security vendor’s report or an industry-focused intelligence sharing group. More often nowadays it comes in the form of ‘threat intelligence feeds’, online sources (both free and paid) that can be subscribed to. Choosing the right feeds for your particular set-up is a complex task, one which requires some expert knowledge.
Even then, there’s still another issue left; how to make sense of all that potentially relevant data, spread across multiple disparate sources. To do that we need a machine learning-powered predictive analytics engine, complete with cognitive pipelining (a natural language processing technique), plus a whole bunch of computing power and terabyte-sized data storage capability. Sounds complicated — and it is — but recent advances mean it is now possible, and several companies are looking at bringing it to market in the near future.
Organizing Your Defenses
Possible yes, but why is all this worth it? Well, with the volume and variety of valuable online assets increasing all the time, organizations can no longer afford to harden every single node in the network against every possible threat — it’s simply not a viable option. However, by determining the type of threat that we are likely to face and the data hackers may target, we can prioritize the areas likely to come under attack, directing resources and attention to the places that need it most.
And it’s not just external actors that we can watch out for; the US Department of Defense is currently using predictive analytics to identify possible insider threats too. Bring together data-stream monitoring and information about personal conduct, and you are able to create employee risk profiles, so that appropriate action can be taken if necessary. This could range from a subtle change of role to revoking access privileges immediately — but the important thing is that we can act before an incident occurs.
Coming generations of products will go a step further to include ‘prescriptive analytics’; i.e. they will provide not only threat predictions but recommendations on the best course of action, even the execution of automated actions where appropriate. And in the imminent reality of AI-powered cyberattacks, that automation will be vital to improving our response time.
Implementation
Implementing a predictive approach to cybersecurity is clearly not a simple matter, but the good news is that a range of vendors are busy developing products that could be applied with a limited amount of expertise. The most prominent analytics firms like SAS, IBM and SAP of course have their own offerings, but start-ups like JASK and Anomali have entered the market too, which could make implementation more affordable for some. And with Gartner predicting that by 2020 at least 75% of cybersecurity products on the market will use some sort of predictive analytics, we should all be investing in some knowledge of the technology in order to make informed decisions in the future.
It’s important to note however that predictive analytics is not, and never will be a silver bullet. Many new technologies are touted as such, but we should always consider the weaknesses of any approach and the likely criminal response; is it possible for example that they could spread false intelligence in an attempt to dupe predictive systems? How could we address that? Like any other cybersecurity technique, predictive analytics cannot be our sole form of defense, but it does have exciting potential as part of a wider strategy; something that might finally help turn the tide of a war that right now, we are losing.
For more of Tim's insights and cybersecurity news, follow SecureWorld on LinkedIn, Twitter, or Facebook.
