As the Russia-hosted 2018 FIFA World Cup—an enormous beehive of international exposure—wrapped up 20 months ago, Russian President Vladimir Putin made a brief but staggering announcement that attracted little attention in the midst of the digital age.
He said that Russia prevented nearly 25 million cyber attacks and other criminal actions against its information infrastructure during the elite soccer games, an event financed by more than $14 billion. And he was able to make this claim—a statement that turned out to be true—even though phishing attacks were already underway before the start of events and a survey of security professionals found that 72 percent of them believed a World Cup attack was likely.
Putin’s claim no doubt included some small potatoes, such as unauthorized network scans. But it also included denial-of-service attempts that were monitored and successfully mitigated on an impressive scale—one requiring tens of millions of data points to be processed.
This was an impressive feat, even for cybersecurity-savvy Russia. It underscored the advances that have been made in big-time security analytics in Russia, the United States, China and other technologically advanced nations and in a roughly related area known as security information and event management (SIEM), combining the two disciplines into one system. (Writ large, cybersecurity analytics provides yet more context and insights.)
As organizations, big and small, face a wider range and greater frequency of cyber threats than ever, it has become clear that the pilots of networks—whether they reside on-premises or in the cloud—must make a strong effort to determine which indicators and events correlate with cyberattacks. The threats can be, among other things, promiscuous attacks through bots and botnets, internal attacks or APTs (Advanced Persistent Threats), Dark Web-based malware-as-a-service, denial-of-service attacks or ransomware.
In working to stop cyber-breaches, the right tools and practices make all the difference in the world. And this is where cybersecurity analytics—the analysis of data to produce proactive security measures—enters the fold. A monitored network, for instance, could be used to identify indications of compromise before a threat actually occurs. In the best case, the surveillance would be roughly akin to finding a way to eavesdrop on a criminal gang plotting a bank robbery before actually executing it.
This discipline is not about one tool or system. Rather, it’s a way of approaching cybersecurity proactively. It requires analyzing networking data from a blizzard of sources to identify trouble spots and create and maintain security measures. It’s essentially a nerve center. Security analytics augments other existing security tools, including SIEM, data loss prevention and identity access and management.
Advancements in technology have played a key role in fueling the growth of cybersecurity analytics, but it’s not becoming a reality in corporate America and elsewhere just because it could. Key demand drivers include:
- The growing transition from protection to detection. More than ever, hackers use a wide array of attack mechanisms exploiting multiple vulnerabilities. Some threats, in fact, can go undetected for months. Security analytics tools can track common threat problems and send alerts when an anomaly is unearthed.
- An increasingly unified view of the enterprise. Cybersecurity analytics structures data in a way that it’s able to view events both in real time and historically. By providing a unified view of threats and breaches in one place, corporations can plan smarter and make better decisions.
- Mounting pressure to produce results and improve returns on cybersecurity investments. Top managers and stakeholders want to see results—and they also want better communication. In particular, security analytics produces fewer false positives, enabling analysts to more quickly identify threats and respond to actual breaches.
Corporations and government institutions are getting a better grasp of the potential actionable data as well. Civilian and defense professionals are drowning in data. Data analytics can save them. Unlike humans, these systems thrive on data, growing more accurate, useful and predictive as they gather bits and bytes.
Federal agencies are among the enthusiastic converts. According to a recent MeriTalk survey of 150 federal government cybersecurity pros, 81 percent use big data analytics for cybersecurity and are seeing results. Ninety percent of respondents said they have subsequently seen a decline in breaches and 84 percent said they used big data to stop at least one cybersecurity attack.
Predictably, the best cybersecurity operations are embracing big data security analytics. As its name implies, big data security analytics is a collection of security data sets that are so large and complex that it becomes difficult or impossible to process it using on-hand database management tools or standard security data processing applications. Big data security analytics solutions can collect, process and store terabytes to petabytes of data.
Leading cybersecurity operations also tend to bet on startup-generated next-generation platforms—i.e., those typically most aggressive in pushing the envelope. One such example is Columbia. Md., based Prevailion. Bearing in mind that third-party partners are typically the weakest security link in an enterprise, its sensor network is able to identify and stop early-stage cyberattacks still underway outside its perimeter, when damage is still minimal.
Artificial intelligence is also entering the fold. If properly implemented, AI can take a lot of the calculation and identification work off the shoulders of human security analysts, who, unlike computers, can tire of repetitive and tedious work. AI also allows cyber-analysts to direct their efforts to areas in which human thinking is more effective.
Economies of scale always make sense. So the next big development in cybersecurity analytics is likely to be the wholesale movement of SIEM and other aspects of security analytics from on-premise servers to public clouds. The growth in security data is massive and some SIEM vendors base their pricing on the amount of data under management. The more, the less expensive. And, too, the shortage of cybersecurity and IT skills persists. For these reasons and others, the cloud will become host to yet another key database software sector.
This is a good thing because it will help keep security analytics moving in the right direction—up and to the right—in an era in which pruning and better analyzing massive amounts of data is the best solution to the relentless cybersecurity headache.
Most cyber-pros know that virtually every sizeable company has already been breached. In coming years, this reality may wind down. And in the interim, at least, there is a good chance that a country like Russia can host another major international event and again maintain the security of its digital infrastructure. Hopefully, the United States will be able to do the same thing.