The complexity of the cybersecurity landscape is simultaneously increasing in different directions. On the one hand, the volume and sensitivity of data being stored and used by firms is growing, which means IT security experts have their hands full of information that needs to be secured. Meanwhile, hackers are constantly attacking organizations in new, inconceivable ways, making traditional security tools less and less effective.
With the sheer number of threats that surround us, we must move away from reactive approaches that only deal with security incidents after they happen, and approach solutions that can predict and prevent attacks before they happen.
Hopefully, predictive analytics will help us achieve this goal. Predictive analytics is the science that is helping a wide array of industries to modernize and reinvent the way they do business. It enables us to peek into the future and obtain foresight we previously lacked.
I had the exclusive opportunity to talk with some of the experts in the field, and they shared their ideas and knowledge on how predictive analytics applies to cybersecurity.
What’s wrong with current security solutions?
Traditional security tools are crafted to deal with known threats. At their core, they work with databases of signatures or digital profiles of cyberattacks, malware, etc., which they use to discover malicious activity. This is an approach that can protect us from threats that have been previously identified. But it’s of no use against unknown threats and attacks.
And malicious actors have no problem coming up with new threats and tactics every day.
“The global business of cyberthreats has become automated to the point that it outstrips the traditional approach of security to keep pace,” says Oliver Tavakoli, CTO of Vectra Networks. “Like any highly profitable moneymaking venture, attackers have spent the last decade industrializing and automating their business.”
This is in no small part thanks to the availability of high-power cloud computing resources at very low prices. “The globalization of the attack industry has made the tools and infrastructure that the attackers need cheaply and widely available,” Tavakoli elaborates. We are now seeing trends such as Ransomware-as-a-Service and Botnets-as-a-Service, which put extremely dangerous tools at the disposal of even the less technical criminals.
“As a result of these market advantages, attackers have automated virtually all aspects of their business venture,” Tavakoli says. “They can imagine a new attack campaign and quickly bring almost endless variants of the attack to market. Arrayed against them are mostly stationary defenses which were built on the idea of inoculating organizations against previously seen attacks some number of days after the attack is first encountered in the wild.” According to Verizon, more than 50 percent of data breaches remain undiscovered for months.
Dr. Anup Ghosh, Founder and CEO of Invincea, emphasizes the role of exploit kits, one of the deadliest tools at the disposal of hackers. “These exploit kits allow threat actors to create one-and-done attacks against companies typically through a spear-phish campaign,” he says.
One-and-done means each attack is created with a unique signature unknown to security systems. “This approach breaks most traditional security systems because the products haven’t seen the attack before in order to detect it,” Ghosh explains. “In other words, it’s almost always successful. This approach is now standard in almost all attacks, no longer just the domain of APT actors, and exploit kits made this possible.”
How does predictive analytics deal with the problem?
“Predictive analytic techniques can be used in security in many ways,” says Lucas McLane (CISSP), Director of Security Technology at SparkCognition. “For example, they can provide a forecast for potential attacks based on an analysis of myriad factors which can include observed patterns, unstructured data analysis and non-local sensors.”
“Predictive analytics can provide the leading indicators of an attack so that you can get ahead of the impending damage,” Vectra’s Tavakoli says. “Predictive analytics produces a statistical likelihood of something happening based on trends observed in historical or recent data. Unlike the precogs in the movie Minority Report, predictive analytics doesn’t predict an attack before it happens. Instead, it focuses on early indicators of an attack that’s already in progress and provides a statistical likelihood of certain events occurring next. Predictive analytics can help a very agile security team shift its defenses on the parts of their infrastructure that are likely to come under attack in the very near future.”
“Analyzing huge streams of data from multiple sources can be used to find the statistically significant anomalies that may indicate a cyberthreat, and act on them,” says Amir Orad, CEO of Sisense. “Predictive analytics helps us identify these anomalies and attribute them to a potential cyberattack – which again, requires some highly advanced numbers-crunching as today’s malicious software takes many measures to hide its tracks and will trickle very small amounts of data out of your organization, while silently spreading to additional systems.”
What are the challenges in applying predictive analytics to cybersecurity?
While predictive analytics promises a lot in cybersecurity, it does come with its own caveats.
“The requirements for cyber security in the predictive analytics area are very different than what most security firms are used to,” says Ghosh from Invincea. “First you must have a serious investment in data science. The second requirement is being able to develop scalable, elastic architectures to support the volume of data needed to train sophisticated machine learning algorithms. Finally, you need high quality data in massive volumes.”
Ghosh’s thoughts are echoed by McLane, who says, “The challenges are the same, yet amplified, as those encountered when applying analytics in general. This is because predictive analytic processing requires a lot more computing resources (i.e. CPU, memory, disk I/O throughput, etc.). This is especially true when the algorithms are operating on large scale data sets. Predictive analytics engines need to be paired with computing resources that are designed to scale with the volume of data targeted for analysis.”
As Orad explains, finding cyberthreats in the reams of data companies generate is like finding a needle in a haystack. “The cyber-attack’s signal is often very weak and obstructed by a lot of organizational noise, i.e. there will only be a very slight change in patterns recognizable (such as data being transferred to an unrecognized server) – which in turn means using the wrong algorithms can easily create a lot of false positives, further complicating analysis.”