Detecting and Tackling the Rising Cyber Threats
Digitization is taking a huge leap in India, with consumers moving from physical to online transactions. Most financial dealings are now done through the internet, and require sharing personal and sensitive data, including address, phone number, bank details, etc. Even the new GST implementation is an outcome of bringing together data from both customers and suppliers, outside of enterprise applications. In addition, detailed transactions are now shared with a broader set of stakeholders, which were earlier limited to only ERP systems. This exposes sensitive data to potential cyber threats outside the enterprise perimeter. Attackers are also now well-equipped and can be from a well organised criminal organisations or even government-sponsored hacker groups.All these factors have increased the risk of cyber attacks. The recent ransomware attacks affected thousands of organisations globally, including leading organisations in India. While Digital India transformation is being received with open arms, it comes with a major challenge that needs close attention and the best, most reliable solutions. The crucial first move to prevent a cyber attack is to strengthen basic IT and cyber security processes and drive awareness of the measures that need to be taken to ensure cyber protection.
Spotting abnormal behaviour and unknown threats
The increasing number, variety, speed and severity of cyber attacks calls for a new line of defence. While there are many signature-based solutions for protecting against known cyber attack vectors, the key gap is identifying threats for which no signature has yet been isolated. Better defences are also needed to protect against attacks involving credential changes after spear phishing. To minimize losses, we must detect and stop threats based on the abnormal behaviours they exhibit in the network, as they occur on a real-time basis. To prevent losses, we must predict and stop as many threats as possible during the reconnaissance period, before signatures are codified, and before data is infiltrated.
Different machine learning works to harvest actionable behavioural insights from huge streams of data traffic, including: a) Self-calibrating models that recalibrate constantly changing distributions of normal peer behaviour with every transmission and score anomalies for extent of deviation, and b) Self-learning analytics, which improve with each resolved alert and associated transactions. The above two methods enable streaming models to better spot threats and build an ever-clearer picture of the typical behaviour of individual entities. They also help minimize false positives to avoid unnecessary alerts — a top challenge for many organizations, according to recent research by the Ponemon Institute. Too many false positives and lack of granular alert/event ranking prevent cybersecurity teams from prioritizing review of the most serious cases and rapidly stopping the anomalous traffic triggering them. With large organisations generating tens or hundreds of thousands of alerts per day, prioritisation and actionable insights are key to security.
The underpinning technology is based on the proven, self-learning streaming analytics for fraud defence in the banking sector. Fraud detection analytics and real-time fraud scoring software are used by the majority of banks worldwide to protect high-volume, high-value transaction streams from fraud losses and the negative customer impacts associated with compromised financial accounts. Because fraudsters frequently change tactics to evade bank defences, it’s essential for fraud detection to rapidly identify continually evolving threats — a clear parallel to the challenge faced in today’s cyber threat detection and the
primary reason why signature-based methods are insufficient.
Closing the discovery gap
There’s been much concern about the time lapse between cyber attack and discovery. Recently that gap has narrowed, but the percentage of data compromises occurring in days or less is still more than twice the percentage of breaches discovered within that time window. Moreover, according to the Verizon 2015 Data Breach Investigations Report, in 60 percent of cases, compromise occurs within minutes.As discussed earlier, many of these attacks are not caught because cyber criminals slightly modify malicious software to get by systems looking for the “signature” characteristics of known threats. Or they may compromise credentials through spear phishing.
In either case, transgressors (malware, bots, hackers, etc.) will at some point leading up to the attack or as it begins cause network devices to behave in a way that is unusual. Spotting that unusual behaviour with sophisticated real-time behaviour analytic algorithms is the key to stopping cyber attacks in time to make a difference. These defences must be as fluid and dynamic as the moving, morphing cyber attack vectors. To recognize anomalies, we have to know the normal behaviours of the individual device and the devices in an associated peer group — but in this environment, normal behaviour can’t be set with a static threshold. ‘Normal’ evolves continuously, so we need analytics to constantly recalculate normal behaviours in the stream of network transactions. We also need analytics to learn from what just happened — did that suspicious transaction turn out to be a threat or not? — And thereby adjust to the latest attack trends.
Advanced analytics for cyber defence
Adapting advanced technologies for better cyber attack defence is the next step every organization should take. Some of the most effective solutions include:
Self-learning entity transaction profiles: This flexible approach allows profiling of virtually any type of network entity. Profiles can be entity-specific (such as an individual end-point) or global (pertaining to more than one entity, such as a website visited by multiple endpoints). They can also be multi-dimensional, capturing the unique characteristics of behaviour between pairs or groups of entities.
Streaming self-calibrating outlier models: This patented streaming analytic technique is effective for cybe rsecurity, as models recalibrate in real time to changing network behaviours. The models learn areas of aberrant behaviours ‘on the fly’ in the transaction stream, so they don’t need to be trained with tagged (confirmed attack/no attack) historical data. This is advantageous because, despite the big losses cyber crimes can cause, they involve relatively few confirmed attacks. Historical data is therefore limited. Models must train themselves, requiring completely different types of advanced analytic algorithms.
Multi-layered self-calibrating models: These models incorporate large numbers of cyber attack features, self-calibrating models and the concept of factor analysis to improve accuracy. They produce a combined score, bringing more context and nuance to real-time cyber attack detection.
Self-learning adaptive analytics: Adaptive analytics incorporate self-learning techniques that make the streaming models more sensitive to recent cyber attack patterns. This automated feedback loop also incorporates insights from an organization’s cyber threat analysts — a critically important link in the chain of defence — directly into deployed analytic models.
Out-of-stream analytic enhancements: Streaming models can also be informed by any number of out-of-stream analytic inputs which may be configured to incorporate information such as archetype updates for continual improvement of collaborative profiles, clique analysis to identify IP addresses, or domains frequently associated with certain other domains and IP addresses.
It’s no exaggeration to say that today, your credit card is probably better protected than your company’s network. FICO’s fraud management solutions protect 2.6 billion financial accounts worldwide with an average decision time of 10 milliseconds. These technologies have also been used successfully in the telecommunications industry to prevent fraud, ensure against revenue losses, and prevent network outages by spotting unusual behaviour in billing and service delivery infrastructures.
Fraud may be committed by individuals, organized rings, and terrorist groups and occasionally by rogue states. This can be readily compared to today’s cyber attacks. Experience shows that the analytic techniques used to detect fraud can be successfully applied to recognize equally damaging and high-risk cyber threats. Applying these techniques to today’s cyber security challenges complements the current threat signature state of the art, and closes the gap in detecting emerging and evolving attack behaviour patterns.
Closing the discovery gap
There’s been much concern about the time lapse between cyber attack and discovery. Recently that gap has narrowed, but the percentage of data compromises occurring in days or less is still more than twice the percentage of breaches discovered within that time window. Moreover, according to the Verizon 2015 Data Breach Investigations Report, in 60 percent of cases, compromise occurs within minutes.As discussed earlier, many of these attacks are not caught because cyber criminals slightly modify malicious software to get by systems looking for the “signature” characteristics of known threats. Or they may compromise credentials through spear phishing.
Too many false positives and lack of granular alert/event ranking prevent cybersecurity teams from prioritizing review of the most serious cases and rapidly stopping the anomalous traffic triggering them
In either case, transgressors (malware, bots, hackers, etc.) will at some point leading up to the attack or as it begins cause network devices to behave in a way that is unusual. Spotting that unusual behaviour with sophisticated real-time behaviour analytic algorithms is the key to stopping cyber attacks in time to make a difference. These defences must be as fluid and dynamic as the moving, morphing cyber attack vectors. To recognize anomalies, we have to know the normal behaviours of the individual device and the devices in an associated peer group — but in this environment, normal behaviour can’t be set with a static threshold. ‘Normal’ evolves continuously, so we need analytics to constantly recalculate normal behaviours in the stream of network transactions. We also need analytics to learn from what just happened — did that suspicious transaction turn out to be a threat or not? — And thereby adjust to the latest attack trends.
Advanced analytics for cyber defence
Adapting advanced technologies for better cyber attack defence is the next step every organization should take. Some of the most effective solutions include:
Self-learning entity transaction profiles: This flexible approach allows profiling of virtually any type of network entity. Profiles can be entity-specific (such as an individual end-point) or global (pertaining to more than one entity, such as a website visited by multiple endpoints). They can also be multi-dimensional, capturing the unique characteristics of behaviour between pairs or groups of entities.
Streaming self-calibrating outlier models: This patented streaming analytic technique is effective for cybe rsecurity, as models recalibrate in real time to changing network behaviours. The models learn areas of aberrant behaviours ‘on the fly’ in the transaction stream, so they don’t need to be trained with tagged (confirmed attack/no attack) historical data. This is advantageous because, despite the big losses cyber crimes can cause, they involve relatively few confirmed attacks. Historical data is therefore limited. Models must train themselves, requiring completely different types of advanced analytic algorithms.
Multi-layered self-calibrating models: These models incorporate large numbers of cyber attack features, self-calibrating models and the concept of factor analysis to improve accuracy. They produce a combined score, bringing more context and nuance to real-time cyber attack detection.
Self-learning adaptive analytics: Adaptive analytics incorporate self-learning techniques that make the streaming models more sensitive to recent cyber attack patterns. This automated feedback loop also incorporates insights from an organization’s cyber threat analysts — a critically important link in the chain of defence — directly into deployed analytic models.
Out-of-stream analytic enhancements: Streaming models can also be informed by any number of out-of-stream analytic inputs which may be configured to incorporate information such as archetype updates for continual improvement of collaborative profiles, clique analysis to identify IP addresses, or domains frequently associated with certain other domains and IP addresses.
It’s no exaggeration to say that today, your credit card is probably better protected than your company’s network. FICO’s fraud management solutions protect 2.6 billion financial accounts worldwide with an average decision time of 10 milliseconds. These technologies have also been used successfully in the telecommunications industry to prevent fraud, ensure against revenue losses, and prevent network outages by spotting unusual behaviour in billing and service delivery infrastructures.
Fraud may be committed by individuals, organized rings, and terrorist groups and occasionally by rogue states. This can be readily compared to today’s cyber attacks. Experience shows that the analytic techniques used to detect fraud can be successfully applied to recognize equally damaging and high-risk cyber threats. Applying these techniques to today’s cyber security challenges complements the current threat signature state of the art, and closes the gap in detecting emerging and evolving attack behaviour patterns.
