How Cybersecurity Analytics Are Evolving

As the war between the black hats and white hats continues to escalate, cybersecurity necessarily evolves. In the past, black hats were rogue individuals. Now they're hactivists, crime groups, and hackers backed by nation states.

"Hackers have gotten a lot more sophisticated," said Sanjay Goel, a professor in the School of Business at University of Albany. "It used to be they'd break into networks, do some damage, and get out. Now they have persistent attacks and targeted execution."

Hackers are automating attacks to constantly search for vulnerabilities in networks. Meanwhile, fraudulent communications are getting so sophisticated, they're fooling even security-aware individuals. Analytics can help, but nothing is a silver bullet.

Moats Are Outdated

Organizations used to set up perimeter security to keep hackers from breaching their networks. Since that didn't work, firewalls were supplemented with other mechanisms such as intrusion detection systems that alert security professionals to a breach and honey pots that lure hackers into a place where they can be monitored and prevented from causing damage.

Those tools are still useful, but they have necessarily been supplemented with other methods and tools to counter new and more frequent attacks. Collectively, these systems monitor networks, traffic, user behavior, access rights, and data assets, albeit at a grander scale than before, which has necessitated considerable automation. When a matter needs to be escalated to a human, analytical results are sent in the form of alerts, dashboards, and visualization capabilities.

"We really need to get away from depending on a security analyst that's supposed to be watching a dashboard and get more into having fully-automated systems that take you right to remediation. You want to put your human resources at the end of the trail," said Dave Trader, chief security officer at IT services company GalaxE.Solutions.

Predictive analytics analyzes behavior that indicates threats, vulnerabilities, and fraud. Slowly, but surely, cybersecurity budgets, analytics, and mindsets are shifting from prevention to detection and remediation because enterprises need to assume that their networks have been breached.

"All the hackers I know are counting on you not taking that remedial step, so when there's a vulnerability and it's a zero-day attack, the aggregator or correlators will catch it and then it will go into a ticket system so its three to four days before the issue is addressed," said Trader. "In the three to four days, the hackers have everything they need."

Why Break In When You Can Walk In?

Fraudsters are bypassing traditional hacking by convincing someone to turn over their user ID and password or other sensitive information. Phishing has become commonplace because it's effective. The emails are better crafted now so they're more believable and therefore more dangerous. Even more insidious is spear phishing which targets a particular person and appears to be sent from a person or organization the person knows.

Social engineering also targets a specific person, often on a social network or in a real-world environment. Its purpose is to gain the target's trust, and walk away with the virtual keys to a company's network or specific data assets. Some wrongdoers are littering parking lots with thumb drives that contain malware.

Behavioral analytics can help identify and mitigate the damage caused by phishing and social engineering by comparing the authorized user's behavior in the network and an unauthorized user's behavior in the network.

Bottom Line

Breaches are bound to happen. The question is whether companies are prepared for them, which means keeping security systems up to date and training employees.

Far too many companies think that hacking is something that happens to other organizations so they don't allocate the budget and resources they need to effectively manage risks. Hackers love that.

Lisa Morgan, Freelance Writer

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include big data, mobility, enterprise software, the cloud, software development, and emerging cultural issues affecting the C-suite.

New Year's Resolutions of the Data Team

As you look back on 2017, we're sure there are improvements you would want to make. Now, as we head into 2018, what changes are you planning?

Deloitte: 5 Trends That Will Drive Machine Learning Adoption

Machine learning isn't as widely adopted as some may think, mainly because there are serious barriers to adoption. Researchers are making progress in reducing those barriers.

Re: Shadowbrokers' latest gift
  • 5/16/2017 8:36:09 AM

Not to get too far off topic, I have come to trust Snowden less and less, ever since we've come to see wiki links and perhaps snowden himself as a pawn of the Russia forces of cyber war. Why I don't condone the NSA for created weapons of mass spying, certainly blame is due to the parties that unleashed them upon the world for rogue actors and malevolent states like NK to use them.

Re: Shadowbrokers' latest gift
  • 5/15/2017 5:49:59 PM


Michelle writes

The follow up coverage of the leak has been a bit scary. I believe variants of the found cache have been detected on various machines. 

And how! This has evolved into the so-called WannaCry ransomware virus, now wreaking havoc among hundreds of thousands of systems in over 150 countries.

As most on A2 already know, major facilities and institutions such as Britain's National Health Service and Spain's Telefonica have been seriously harmed.

Three days ago in a Twitter post Edward Snowden criticized the NSA for creating the malware:

Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost

Snowden also linked a New York Times article that provided more details about the apparent NSA source:

Re: Shadowbrokers' latest gift
  • 4/30/2017 8:03:14 PM

The follow up coverage of the leak has been a bit scary. I believe variants of the found cache have been detected on various machines. I believe Semantec researchers have recently discovered these.

Shadowbrokers' latest gift
  • 4/15/2017 12:05:06 PM


Latest news on the Internet cyberscurity front seems to involve malware created by the NSA and leaked by a shadowy group calling itself The Shadowbrokers.

This is reported in an online article by The Intercept:

The ShadowBrokers, an entity previously confirmed by The Intercept to have leaked authentic malware used by the NSA to attack computers around the world, today released another cache of what appears to be extremely potent (and previously unknown) software capable of breaking into systems running Windows. The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users.


This is reminiscent of Stuxnet, another malicious software weapon apparently devised by the CIA to attack Iran's nuclear program. Stuxnet also got into general worldwide circulation and became an aid to hackers in developing more sophisticated hacking tools.

In the case of the current malware leak, the article warns that "Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches."

The implications are stated by security researcher and hacker Matthew Hickey: "This is as big as it gets ... Nation-state attack tools are now in the hands of anyone who cares to download's literally a cyberweapon for hacking into computers...people will be using these attacks for years to come."


Cybersecurity needs to evolve, and fast
  • 3/10/2017 2:45:24 PM


In this discussion of cybersecurity, it would seem remiss to ignore the recent breaches of the formidable UBM/SAS anti-spam defenses resulting in spam postings here on A2. In at least one recent breach, spam content including live hyperlinks have been posted – overcoming what I'd presume is some pretty daunting security knowhow. 

These merry developments would seem to corroborate the points made by me and others that there's a continuous "arms race" between the cybersecurity forces and those who are seeking to penetrate their defenses.


Re: Automation
  • 3/6/2017 2:45:33 PM

And then as noted attackers are now routinely  "automating attacks to constantly search for vulnerabilities," so it could be a 24/7 awareness that's needed to be on guard along with the other dangers that are evolving fast.

Re: What People Say Sometimes Scares Me
  • 3/3/2017 11:55:35 AM

5. "If this network could be breached, it would have been breached by now."

6. "It's okay, our cloud provider said so."

7. "Can't we just encrypt everything and be done with it?"

8. "Why do we need to use the VPN again?"

Re: Automation
  • 3/3/2017 11:50:46 AM

I'm not so sure, Impactnow... seems like there's something very broken with the current security management model that is highly defensive and reactive in nature. Security hardware and software that's invulnerable to hacking or malware infection looks like a better place to focus attention and practical research.

Re: Automation
  • 3/3/2017 11:47:42 AM

I applaud the offensive nature of what you're suggesting, Seth. But my beleif is that aggressive offensive moves will turn the Internet and most data centers into mayhem and maybe even war zones. Between the cloud's ability to scale and the resources that the darknet can bring to bear on innocent targets, these kinds of attack-the-attacker scenarios will have plenty of unintended consequences.

Re: What People Say Sometimes Scares Me
  • 3/3/2017 11:42:28 AM

That's a good pooint about using "security" as a catch-all phrase. There are lots of different disciplines and skill sets under the broad banner. That being said, it is surprising that there hasn't been more application of analytics tools to these various skills or security functions, most of which are data driven.

Page 1 / 4   >   >>