Data and analytics have always been involved in the battle against cybercrime but with businesses moving systems to the cloud at the same time as attacks have become more advanced, data analytics is becoming firmly established on the front line of defences.
The simplest explanation for why they are now so important is to consider the major change that accompanies moving to remote hosting, according to Ryan Sheldrake, CTO at cybersecurity company Lacework. When they host their own servers, businesses have physical oversight but once they have been moved to third parties, that level of direct control changes.
“In the past, you could find the server affected by an attack and even pull the plug on it,” he recalls. “With cloud providers, you may not even know where your servers are, and you certainly can’t touch them.
“Instead, cloud providers swap direct, physical control with mountains upon mountains of data, which is why analysing that data now is at the forefront of tackling cybercrime.”
Sophisticated cybercrime
Data and analytics are being given a leading role in defeating cyber threats and this is not only because of cloud and the masses of data it makes available to users. The new type of attacks from highly sophisticated hackers makes threats harder to spot using traditional virus detection techniques, according to Adrian Nish, head of cyber at BAE Systems Digital Intelligence.
“Viruses used to have the same signature code in them, so you could scan for them and then delete them,” he says. “But that’s no longer the case as attacks are now more advanced and one-off, so you can’t look for signatures.
“Instead, you need to use data analytics to monitor – in particular – network traffic. There will be millions of pieces of data to look at but with the right analytics, you can see what doesn’t look normal, such as something on your systems, possibly a bot, regularly calling out or ‘beaconing’ to a third party for instructions. It might not be anything to worry about but with analytics, you can narrow the field.”
This is incredibly important to businesses operating on the front line of the battle against cybercrime and, arguably, there is no industry where this is more pressing than banking and financial services. A security breach could lead to people losing their life savings or systems being down at the very moment a person is expecting their mortgage to come through for their new dream home.
There will be millions of pieces of data to look at but with the right analytics, you can see what doesn’t look normal. It might not be anything to worry about but with analytics, you can narrow the field
James Fellows, CTO at Coventry Building Society, reveals that data analytics is now the only way to keep a track of network traffic because not only have the threats changed – but what ‘normal’ looks like has altered dramatically.
“Our customers have made a huge shift to ecommerce during the pandemic, which means we are adapting to new payments leaving their accounts at all times,” he explains.
“And many of our employees are working from home and at different times of the day, so we have to get used to a lot more unusual behaviour, such as someone logging on in the evening because they’re working flexibly. We need to learn what’s normal by feeding data into analytics packages that will flag up where we might need to investigate further, perhaps calling a person to make sure it was them logging on.
“You just can’t do that type of safeguarding without using analytics to target where you need to be double-checking.”
How AI can help
It is here that data analytics need powerful AI and machine learning tools to start to build up a picture of what everyday traffic looks like for the millions of interactions that flash across the average company’s networks every day. David Hoelzer is director of research at Enclave Forensics and thinks that is why around half of the people who attend his cyber-security lectures for the industry’s SANS institute have a data background.
“About half of my students are now data scientists who want to learn more about how to apply data to cybersecurity at their organisations,” he says.
“The industry is moving to a point where data analytics are like a triage system that flags areas of concern because humans just cannot wade through millions of data points hoping to get lucky and find unknown malware.
“The trouble is, industry vendors have overpromised for many years, claiming they can spot unknown issues before they become a cyber threat, so many may be forgiven for thinking they already have this cover – or not believing what they are being promised.”
For Hoelzer, the risk here is that just as the data analytics, AI and machine learning tools are set to mature to a point where they can accurately guide humans to areas of unusual activity on networks, investment might be cut short. Given the power of data and analytics to focus the search for bad actors on networks, this would be a mistake.
In particular, it would be a step backwards in cybersecurity because, according to Ryan Sheldrake, the next wave of innovation will take company defences to the next level where anomalies are not only spotted, but fixed.
“We’re moving to the point where AI is not just going to be able to use data analytics to guide security teams to where unusual activity is taking place,” he says.
“The next stage is going to be using the data to find a problem and then fix it. These self-healing systems will be able to spot issues and then fix systems on the fly.”
That is the ultimate promise of data and analytics in defending against cybercrime. While they can currently be used to cut down the noise of network traffic to highlight where malware and bad actors may be lurking, the future will see them investigating anomalies and then reporting back to security staff when a problem has been detected and dealt with.
Data and analytics have always been involved in the battle against cybercrime but with businesses moving systems to the cloud at the same time as attacks have become more advanced, data analytics is becoming firmly established on the front line of defences.
The simplest explanation for why they are now so important is to consider the major change that accompanies moving to remote hosting, according to Ryan Sheldrake, CTO at cybersecurity company Lacework. When they host their own servers, businesses have physical oversight but once they have been moved to third parties, that level of direct control changes.
“In the past, you could find the server affected by an attack and even pull the plug on it,” he recalls. “With cloud providers, you may not even know where your servers are, and you certainly can’t touch them.
