How Analytics Could Stanch Heartbleed

Before the Heartbleed bug, there was big data -- as the center of attention among security watchers, that is. Specifically, everybody and anybody in the security industry seemed to have glommed onto the idea that big-data analytics could help predict and thwart cyber attacks.

Heartbleed, the OpenSSL vulnerability discovered last week by security engineers at Codenomicon, doesn't change the promise of big-data analytics for cyber security. But it does give us reason to reflect on its role and clarify some misunderstandings.

Yesterday I had the chance to talk with Jen Dunham about advanced analytics and the role they play in beating Heartbleed and other such future attacks. Dunham is a former military intelligence analyst who is now a principal solutions architect with the Security Intelligence Practice at SAS (this site's sponsor). As she explained during our phone conversation, analytics isn't going to let you get in front of a problem like Heartbleed: "It isn't going to say, 'Whoa! Don't go to that website because it's there.' "

From that perspective, she said, cyber vulnerabilities of this sort simply aren't going to be detectable.

However, she observed, "This exact signature, the bleed itself... is exactly what analytics can detect."

What's critical is the ability to analyze the underlying data and discover behavioral discrepancies. That's where the analytics can come in and help mitigate loss, be that of usernames and passwords, personally identifiable information, intellectual property, or whatever else a cyber criminal might be seeking. "Here the analytics of the data underneath should be able to say, 'Oh, this account has been compromised' or 'Oh, this user isn't acting like he normally does. There's a risk here,' " Dunham told me.

While lots of security vendors talk about behavioral signatures today, Dunham cautioned, many do so with limited rules-based approaches. "You can't just apply rules and expect to catch bad guys. The first thing they do is test your system, find the rules, and break them."

Enterprises looking to add analytics to their security arsenals have to understand what they need, Dunham said. And what they need, she feels, is a hybrid of analytical methods -- or what Gartner calls a layered approach -- similar to the one that SAS has developed over the years through its work in solving complex fraud detection and prevention challenges. This hybrid approach includes business rules, anomaly detection, behavioral analytics and classifications, predictive modeling of known and emerging threats, semi-supervised modeling and unsupervised modeling for zero-day vulnerabilities, and social network analysis or graph theory:

    From a cyber security perspective, you're looking at the connections between network assets and the flow of transactions between them -- which is exactly where the Heartbleed bug is, with that flow padded with an additional 64 kilobytes of memory -- and can find that the basic signature of that as being not normal. Analyzing all those things in a hybrid approach will get you to uncover malicious activities that are heavily backstopped or basically obfuscated so they blend into the norm.

Neither cyberthreats -- today's Heartbleed and what will come tomorrow (because we know more will follow) -- nor the analytics used in the detection are trivial. And so Dunham said she finds some danger in all the talk about big-data security analytics, fearing that customers don't always understand what they're buying and how secure -- or not -- they really are. "We need to do a better job of understanding how to safeguard ourselves internally and pay closer attention to how risk occurs."

Do you agree? How worried are you about bugs like Heartbleed and the ramifications for the corporate world, not to mention yourself personally? Are vendors touting big-data security analytics solutions leaving customers with a false sense of safekeeping? Do you think there are lessons to be learned from the analytics associated with enterprise intelligence and fraud protection? There's lots to talk about when it comes to analytics and security. Share below!

— Beth Schultz, Circle me on Google+ Follow me on TwitterVisit my LinkedIn pageFriend me on Facebook, Editor in Chief,

Related posts:

Beth Schultz, Editor in Chief

Beth Schultz has more than two decades of experience as an IT writer and editor.  Most recently, she brought her expertise to bear writing thought-provoking editorial and marketing materials on a variety of technology topics for leading IT publications and industry players.  Previously, she oversaw multimedia content development, writing and editing for special feature packages at Network World. In particular, she focused on advanced IT technology and its impact on business users and in so doing became a thought leader on the revolutionary changes remaking the corporate datacenter and enterprise IT architecture. Beth has a keen ability to identify business and technology trends, developing expertise through in-depth analysis and early adopter case studies. Over the years, she has earned more than a dozen national and regional editorial excellence awards for special issues from American Business Media, American Society of Business Press Editors,, and others.

Midmarket Companies: Bring on the Big Data

The "big" in big data is no reflection of the size of the organization embracing its potential.

Push Yourself to New Analytical Discoveries

Take inspiration from Christopher Columbus as you pursue your analytical journeys.

Re: Bleeding heart
  • 4/20/2014 9:21:08 PM

The classic "Your profile is 40% complete. Finish it up!" falls for too many people, it would appear. Then your profiles are hit with perfectly targeted ads.

Re: Bleeding heart
  • 4/20/2014 8:47:17 PM

@CandidoNick You are right about that. I too think twice before posting things on the Internet. Sites like Facebook really make you vulnerable and encourage you to over share. It's shocking to see the amount of information people end up sharing.

Re: Bleeding heart
  • 4/20/2014 12:48:05 PM

These days, my outlook on the internet is monitered by the assumption that anything I produce on the web can be found, tampered with, and shared in seconds, even by the most ameteur user, regardless of security settings. When it comes to the internet, privacy is null and void.

Re: Bleeding heart
  • 4/18/2014 6:10:56 AM

I wonder how many such bugs go undetected in the long run. Hackers have now become more resourceful. They are also more prudent. It is great that big data will help us to identify even smaller discrepancies.

Re: Bleeding heart
  • 4/17/2014 2:34:17 PM

Hi Michael, yes, you're absolutely right -- the detection is only the first step. Although I didn't discuss what happens after the discovery with Dunham, I would imagine that automated processes kick in and, as you suggest, humans get notified and then involved, too. At the very least, I would think the system would trigger an automated "verify who you are" kind of response similar to what happens should you, say, log into your bank from a device/IP address that hasn't previously been associated with you. Incidently, she did tell me SAS is in the process of building up its own security operations center (to extend what it already has in place, of course) and will be "eating its own dogfood."

Bleeding heart
  • 4/17/2014 1:27:12 PM

I think the analytics that can identify anomalous traffic - like that extra 64K tacked on to a payload - are very important, but it's equally important to formulate an action plan around it. What happens when the software detects these anomalous packets? Are there automated remediation steps, or does a human get alerted, or both? Did Dunham talk about this phase of the process?