Heartbleed, the OpenSSL vulnerability discovered last week by security engineers at Codenomicon, doesn't change the promise of big-data analytics for cyber security. But it does give us reason to reflect on its role and clarify some misunderstandings.
Yesterday I had the chance to talk with Jen Dunham about advanced analytics and the role they play in beating Heartbleed and other such future attacks. Dunham is a former military intelligence analyst who is now a principal solutions architect with the Security Intelligence Practice at SAS (this site's sponsor). As she explained during our phone conversation, analytics isn't going to let you get in front of a problem like Heartbleed: "It isn't going to say, 'Whoa! Don't go to that website because it's there.' "
From that perspective, she said, cyber vulnerabilities of this sort simply aren't going to be detectable.
However, she observed, "This exact signature, the bleed itself... is exactly what analytics can detect."
What's critical is the ability to analyze the underlying data and discover behavioral discrepancies. That's where the analytics can come in and help mitigate loss, be that of usernames and passwords, personally identifiable information, intellectual property, or whatever else a cyber criminal might be seeking. "Here the analytics of the data underneath should be able to say, 'Oh, this account has been compromised' or 'Oh, this user isn't acting like he normally does. There's a risk here,' " Dunham told me.
While lots of security vendors talk about behavioral signatures today, Dunham cautioned, many do so with limited rules-based approaches. "You can't just apply rules and expect to catch bad guys. The first thing they do is test your system, find the rules, and break them."
Enterprises looking to add analytics to their security arsenals have to understand what they need, Dunham said. And what they need, she feels, is a hybrid of analytical methods -- or what Gartner calls a layered approach -- similar to the one that SAS has developed over the years through its work in solving complex fraud detection and prevention challenges. This hybrid approach includes business rules, anomaly detection, behavioral analytics and classifications, predictive modeling of known and emerging threats, semi-supervised modeling and unsupervised modeling for zero-day vulnerabilities, and social network analysis or graph theory:
- From a cyber security perspective, you're looking at the connections between network assets and the flow of transactions between them -- which is exactly where the Heartbleed bug is, with that flow padded with an additional 64 kilobytes of memory -- and can find that the basic signature of that as being not normal. Analyzing all those things in a hybrid approach will get you to uncover malicious activities that are heavily backstopped or basically obfuscated so they blend into the norm.
Neither cyberthreats -- today's Heartbleed and what will come tomorrow (because we know more will follow) -- nor the analytics used in the detection are trivial. And so Dunham said she finds some danger in all the talk about big-data security analytics, fearing that customers don't always understand what they're buying and how secure -- or not -- they really are. "We need to do a better job of understanding how to safeguard ourselves internally and pay closer attention to how risk occurs."
Do you agree? How worried are you about bugs like Heartbleed and the ramifications for the corporate world, not to mention yourself personally? Are vendors touting big-data security analytics solutions leaving customers with a false sense of safekeeping? Do you think there are lessons to be learned from the analytics associated with enterprise intelligence and fraud protection? There's lots to talk about when it comes to analytics and security. Share below!
— Beth Schultz, , Editor in Chief, AllAnalytics.com