Big-data for Security: A new strategy against hackers

The recent article, “China Hackers Hit U.S. Chamber,” in the Wednesday, December 21, 2011, online version of the Wall Street Journal highlights yet another in a growing list of cyber attacks against US companies.

According to the article, the attack apparently started with a spear phishing scheme and social engineering tactics targeting a single employee in 2009. The attack followed a typical path of spreading to other systems, hiding behind credentialed activity, creating backdoors for access, reporting back to the attacker weekly, and granting the attacker remote access to Chamber member information and business policy documentation.  The bad guys even gained access to an HVAC system at a housing unit owned by the Chamber.

There are some notable takeaways from the WSJ article and an article on the same attack on :

  1. While most of the headlines around these advanced and persistent attacks have been about large companies and government agencies, small to mid-sized businesses with small IT staffs are not immune. In fact, smaller companies are often easier targets and good conduits to breach larger partner companies or government agencies. The U.S. Chamber of Commerce said that less than 50 of its members were affected by the attacks. Yet, when I think about the number of lobbying firms on K Street in Washington D.C., each with between 450-1000 employees and 3-10 people responsible for security, I wouldn’t be the least bit surprised if some of these lobbying firms were already infected, too, without even knowing it.
  2. In the BW article, the vice president of IT for the National Association of Manufacturers (the organization believed to be the ultimate target of the Chamber attack), talked about the types of security events his organization is equipped to watch for, “We’re taking the standard road to protect against kiddie attacks or phishing stuff from unsophisticated, random attackers.” The reality is that most organizations are only able to watch for and protect themselves against attacks they expect to see – known threats. Few organizations have effective strategies for identifying and protecting against unknown threats. The bad guys are well aware of this, and they’re using highly sophisticated techniques to exploit this blind spot.
  3. And as the Chamber’s chief operating officer cautioned in the WSJ article, “This is the new normal.” “It’s nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in.” “I expect this to continue for the foreseeable future. I expect to be surprised again.”

These articles articulate the problem very well, and make clear that the traditional approaches to fighting cyber attacks are no longer sufficient on their own. New strategies are needed to have a fighting chance in the cyber security arms race.

One weapon that organizations have, but that they may not even be aware of, is data. The volume of data generated by activities that happen behind credentialed user activities is huge. Mining that massive amount of data in real time can reveal abnormal activities and user behaviors that security professionals can use to pinpoint potential threats that other traditional security and SIEM solutions are unable to detect. Security is a Big Data issue and needs a Big Data solution. Using a Big Data system with a robust analytics language, security personnel can more easily spot anomalies (potential threats) to investigate further, ‘ask questions’ of the all the collected data generated by every piece of technology used by the organization, and use visualizations to better understand normal activity and unearth abnormal activity. Such a strategy is the only way to understand what you don’t know because, as these articles illustrate, what you don’t know CAN hurt you.

Posted by