Use big data to fight cybercrime

While organizations don't always need to understand how an attack works from an in-depth technical perspective, they do need to understand how the attacks get past their defenses. A successful CISO will arm himself with analytics and learn from others' mistakes.


Personally identifiable information (PII) is subject to a high level of legally mandated protection by data privacy laws. In some jurisdictions, using data sources that personally identify an individual may be entirely prohibited. In others there may be constraints in relation to how and whether different data sources can be used. Even though big data analytics often uses raw data that is not of a private or otherwise legally sensitive nature, the outcome of an analytics exercise can collate data in a way that creates highly sensitive private information which may then need to be protected.

Managing external and internal threats

Let’s take a few moments to look at a few examples of how big data analytics can help businesses improve information security. First, let’s examine external threats.

Big data analytics could help identify cyber-criminal or state-sponsored zero-day attacks. Modern malware and attacks often rely on stealth and the element of surprise, which makes them increasingly successful even against state of the art anti-malware solutions. As a result, many of the anti-malware vendors are using big data analytics to analyze malware reports and associated network traffic in an effort to identify and mitigate malware campaigns as they occur.

In terms of supply chain security, big data analytics has the potential to profile or identify suppliers by scanning sources such as contracts, service level agreements, procurement and vendor management databases, connectivity logs, invoices, delivery and shipping notes, payment records and expense records. Big data analytics can create an overarching view of supply chain security by analyzing high-risk suppliers’ security data such as that held in suppliers’ network logs, event management databases or intrusion detection systems. It can also compare suppliers across different dimensions of information security risk.

When we look at internal threats, several of our Member companies are using big data analytics to identify standard patterns of staff behavior. Big data sources may include email content, web activity (including access to competitors’ websites and trade forums) and building access logs.

Additionally, a number of high-profile banking frauds succeeded because the perpetrators never took more than a few days off work at one time and were thus able to keep their fraud hidden. As a result, it became standard in many financial organizations for staff to take “block leave” – in other words, mandatory vacation where the minimum time away was sufficiently long that fraud could not be concealed in an individual’s absence.

The rise of remote access and the proliferation of mobile devices in the workplace in today’s fully connected society has potentially undermined this control. Big data analytics could identify staff that are accessing systems when they should be on vacation, by correlating leave scheduled through a calendaring or HR system with remote login, mobile device, or other account activity.

While the ultimate promise of big data analytics for information security is to predict and prevent incidents, there will always be value in remediation. Big data analytics can be used to assist with post-incident review, to assess the full impact, determine possible root causes, and identify potential indicators that could be used to warn against future incidents. These results can then be used to identify mitigating controls. Historical data can also be analyzed using the indicators to determine if there have been previous occurrences of the incident that were undetected.

Using Big Data analytics to your advantage

Executives and boards want to balance the risks and rewards of operating in cyberspace by ensuring that their investment in information security and cyber security is appropriate to manage and mitigate the risks.

As the use of big data analytics increases, the range of data sources will spread. One of the key messages that I would like to get across is that big data analytics is not just about log analysis; it is about seeing a wider picture.

Organizations need to approach the data differently, looking for connections between different data sources and regularly questioning whether there is another data source that could add further value. This activity requires the intervention of skilled individuals who understand both the data available and the objectives of the analysis.

One of the major issues with big data is the volume of data that is being added to the data set each day. While organizations are benefiting from the reduced cost of storage the benefit may be outweighed by the rapid expansion in the volume of data. In order to balance the business benefits of big data analytics with the cost of storage, organizations need to regularly review the data that they are collecting, why and for how long they need it, and where and how they store it.

Pressure continues to mount

Pressure is mounting on businesses to embrace big data because of the enormous insights and competitive advantage it can provide. Since we’re still in the early days, we have not yet seen a tremendous amount of external requirements mandating businesses to assure information integrity. However, the sheer scale of information processed by businesses remains on the increase and with big data analytics bringing business decisions closer and closer to raw data, the quality of information has become increasingly important. Big data may even be used to improve information security if the same sophisticated analysis can be applied to relevant security data. 

While such solutions may not yet appear to be widespread, you can be assured they are well on the way with big data analytics already being used for fraud prevention, cyber security detection, social analysis and real-time multimodal surveillance.  When analytics has been used as a security tool, it has been deployed reactively to monitor security incidents or discover breaches. What we’re now seeing is a massive, exciting opportunity for organizations to use analytics to be more proactive and forward looking about their cyber security.

About the author

As the Global Vice President of the Information Security Forum, Steve Durbin’s main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments.

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

Further information about ISF research and membership is available from www.securityforum.org.