Cyber Fraud Affects 5 Percent of the Planet’s GDP
The Association of Certified Fraud Examiners (ACFE) estimates typical organizations loses 5 percent of their revenues to fraud each year (ACFE Report). When fraud occurs, the integrity of the data is impacted; intellectual property is lost, stolen, or at risk; and customer confidence is affected.
Fraud is growing in scope and complexity, and no industry is immune. Effective countermeasures require a holistic approach that includes understanding and assessing the risk and the value of assets. Additionally, organizations must balance defensive countermeasures with offensive detection capabilities. FBI Director Robert Muller stated, “There are only two types of companies: Those that have been hacked, and those that will be.” Organizations must assume attackers will attempt to target their organizations though cyber fraud in some manner. They must be able to detect, respond to and defend against these types of attacks.
Successfully implementing fraud countermeasures requires building detection and response capabilities as well as investigation and discovery capabilities. With the power and expertise of big data cyber security analytics, organizations have many choices to implement solutions that can provide insight into a vast multitude of data points. Additionally, systems that incorporate or integrate with powerful case management and dashboards that are designed around risk and compliance give organizations a healthy snapshot of how risk impacts their organizations. These concepts give organizations a strong view of weaknesses and vulnerabilities that allow them to distinguish between normal and abnormal activity.
I have heard this before. Cyber experts say it’s impossible to stop a motivated attacker.
Some security professionals argue that it’s impossible to catch low-impact attacks, because attackers are getting smart about hiding their volume of attacks, essentially trying to fly under the radar and make their attacks look like legitimate traffic. This is often described as the needle in the haystack problem. How can you detect a malicious actor when there’s an overwhelming amount of other pieces of data that don’t mean anything? This is a lie. Data science experts will tell you that no matter how often an abnormal behavior occurs — whether it’s one hundred times or just once — it’s still abnormal behavior and can be categorized once a baseline is established. There are products from companies that do exactly this. Establishing a baseline is extremely important because it gives organizations a clear view of who is a malicious actor and who is not.
Once these outliers can be identified in real time, there’s cutting edge technology that’s just starting to be adopted by mainstream enterprise organizations to take this information and dynamically change access to the data, redirecting flows through honeypots, networking firewalls or other network techniques. Software-defined networking can already be used to dynamically reconfigure and block access after an analytics engine has determined or assigned a level of risk to a data flow. Intrusion detection and prevention systems have long had the ability to block a single IP from accessing the network though their own capabilities or by programming a firewall. The new generation of tools assigns risks to flows and connections, and manipulates traffic based on an understanding of business-critical functions and goals.
Countermeasures against cyber fraud allow organizations to detect exposures, perform kill chain analytics and close vulnerabilities, allowing them to fight back against cyber fraud for the first time.
Why Traditional Security Doesn’t Work
In many cases, successful attacks are leveraging legitimate applications, protocols and user credentials to gain unauthorized access. In these scenarios, traditional security protections prove useless, as the adversary has gained legitimacy by masquerading as a valid user. However, all is not lost. By using advanced analytics, along with modern security tools, organizations can identify anomalous user behavior, even if the attacker has valid credentials. Data loss prevention systems can identify and, in some cases, minimize or prevent the loss of intellectual property or sensitive data. Combining these tools into a unified security architecture can significantly reduce the risks associated with advanced persistent threats.
Insider threats are one of the most difficult threats to stop, because inside attackers, like good attackers from any location, will try to blend in and use existing services to gain access to a system rather than finding a new vulnerability.
MOSCOW – OCTOBER 09: Dominika Cibulkova of Slovakia poses by St Basil’s Cathedral at the Red Square during day four of the Kremlin Cup Tennis at the Olympic Stadium on October 9, 2008 in Moscow, Russia. (Photo by Julian Finney/Getty Images)The complexity and diversity of the attacker’s tools and techniques continues to grow in response to new defensive measures. As a result, it’s imperative that security operations staff continuously manage the security architecture by ensuring that policies, device configurations, responses and reporting processes are up-to-date, clearly understood and relevant.
What Is Big Data Cyber Security Analytics?
Big Data Cyber Security Analytics is the collection of data sets that are large and complex. The size, diversity and complexity of this data make it difficult to process using traditional applications. Traditional security tools are great at processing similar data sets with easy-to-understand relationships.
Big Data Cyber Security Analytics specializes in organizing solution sets that are unstructured and that are more difficult to find and correlate. Examples of this are finding how Twitter hashtags, road construction or weather affects retail sales of a specific product. How does retail sales volume on specific products than affects cyber fraud. Building and analyzing these types of relationships with traditional databases is very difficult, if not impossible.
The challenge with Cyber Analytics is how to capture, process, store, search, share, analyze and present large and diverse amounts of data in a visually compelling format.A Basic Understanding of Big Data Cyber Security Analytics ArchitectureAn implementation of this logical architecture would use products and processes that satisfy the business, technical and architectural requirements of an organization. Each layer may be composed of multiple technical and procedural components that work collectively to execute a particular security outcome. Overlaying proper security processes on core technical solutions is critical to the architecture and increasing the overall organizational security posture.
The Big Data Cyber Security Analytics architecture supports the collection, analysis and reporting of both raw data (i.e. packets) and metadata (information about the raw data). Examples of raw data include network packets captured in transit or files on a storage device. Examples of metadata include network packet source and destination addresses, ports, protocol class, packet checksum, date/time stamps, file sizes, file creation dates, file owners, etc. The continuous acquisition and analysis of both raw data and metadata are critical for the security architecture. The amount of raw data and metadata that is stored is dependent upon several factors including risk management philosophy, critical asset value, budget, manpower and skill sets, and security procedures.
Near real-time analytics are low latency processes that ingest and analyze security data as it’s acquired. These analytics typically run within an extract-transform-load (ETL) process as sensors acquire and forward data into infrastructure storage. A near real-time process is one in which completion times or perceived latency, when measured against wall clock time, is a key feature of the system. Near real-time analytics must have relatively high performance and low latency to produce analytics results as the data is ingested into the analytic engine.
The stock quote application is a great example of an application that should perform in near real time. The latency between when a new stock ticker price is published and when it is available to a subscriber should be so low that it’s imperceptible to a typical user. Unless you are a high-speed day trader, a sub-second latency feature would provide adequate capability as a near real-time system. Advanced Big Data Cyber Security Analytics is that when a system is baseline, any anomalies that are detected in those baselines are reported on and seen instantly.
Security operations organizations are designed to respond to security threats. The security architecture provides situational awareness, and in the case of a security threat, supports a procedure or automated response to mitigate the threat. Typically, the response layer has been a characterized by human-driven manual processes through standard operating procedures (SOPs) in the security organization. However, as security technology has matured, automated responses have grown in popularity to mitigate known or well-defined threats.
Using Advanced Big Data Cyber Security Analytics to Respond to Threats
1.1.1 PROCEDURAL RESPONSE
Every mature operational organization defines procedures for their day-to-day tasks. In a security operations center, these procedures are documented in security SOPs that allow the organization to quickly respond to advanced threats. The SOPs, when documented, enable discipline under crisis. An organization doesn’t want to find itself defining security processes under the duress of an ongoing threat as corporate services and intellectual property are compromised.
An organization can’t have a SOP without a document. The SOP document serves as the definitive resource during a security incident, regardless of time of day, day of week, holiday or subject matter expert absence. It also serves as a training, reference and evaluation tool before a security threat exists.
1.1.2 AUTOMATED RESPONSE
In 1988, a group of engineers at Digital Equipment Corporation (DEC) published a paper on packet filtering firewalls. The paper described the stateless machine that inspected every packet on the network and could drop (discard) a packet based on filter rules. Each packet was inspected independently, regardless of the flow state. The early firewalls demonstrated an automated response of dropping packets based on predefined patterns or rules in the system.
Today, automated security responses are prevalent across many security technologies including firewalls, intrusion prevention systems, anti-virus quarantine solutions and password lockout features within authentication systems.Some takeaways Security professionals who understand that cyber security should be treated as a system of controls and failures rather than a magic bullet know they can’t prevent every attack. But by taking a holistic approach to implementing cyber fraud countermeasures, organizations can prevent little attacks from compromising their business and keep large-scale attacks at bay. Special Thanks I want to specifically thank a number of my colleagues for letting me debate my concepts with them. Also a very big thanks to Owen Skoler for helping me with the editing.