Cybersecurity and big data analytics are two set of technologies that are frequently mentioned by CEOs and CIOs as top investment priorities. But what about marrying the two? Many organizations are not yet there. For example, a recent survey of government cybersecurity professionals found that 86 percent of respondents believe big data analytics could help improve cybersecurity, but only 28 percent are currently fully leveraging big data for security purposes.
Amir Orad has built his career at the intersection of cybersecurity and big data analytics. “When I started 15 years ago,” he told me in a recent phone conversation, “very binary, manual security decisions were the norm. We introduced the use of big data for security by adjusting in real-time the level of cybersecurity based on analytical decisions. It was a new approach.”
Orad co-founded Cyota and patented (with Naftali Bennet and Lior Golan) risk-based authentication, replacing static authentication (e.g., user name and password) with analytics-based risk profile used to determine whether the system needs to ask the user for additional credentials. That helped smooth the online experience for the growing number of Internet users, especially in financial services.
Cyota was acquired by RSA in 2005 and in 2007, Orad joined Actimize, a startup using analytics to detect financial crime, based on its monitoring of billions of transactions at the world’s top financial institutions. After Actimize was acquired by NICE, Orad served for more than four years as CEO, growing the business over six-fold.
Earlier this year, Orad joined Sisense as CEO. With Sisense innovative approach to big data management–utilizing CPU caching technology–a single commodity server can crunch terabytes of data and serve a large number of concurrent users. Enabling non-technical business users to easily join, analyze and visualize data sets from a multitude of sources, last year Sisense has tripled subscription revenues for the fourth straight year (I wrote about Sisense here).
Before he joined the company, Orad told me, he heard about one of Sisense’s customers who was using their product “to find out what’s going on in their security environment.”
For this customer, Sisense consolidates data from a number of security solutions, and creates a map of everything that’s happening across the business. Business users and security professionals at the company can see where attacks are happening and dive into the data by source, region, risk, etc., creating a command and control environment for all their security needs. ”There’s too much information,” comments Orad on the need for data aggregation, analysis, and visualization tools for cybersecurity.
Analytics is key to fighting security information overload, highlighting what’s important, and striking the right balance between automated decisions and decision-making by humans. Orad provided me with a quick guide to applying analytics in four layers of security: detection, resolution, intelligence, and command and control.
In detection, analytics separate what’s common from what’s unique, pointing out anomalies in the data. This is typically an automated process, “because by the time you involve human beings, it’s too late,” says Orad. Still while the decision on how and whether to respond is automated, humans are involved early on by specifying rules for what’s suspicious and what’s not. Here big data management tools can also help, by crawling the data, identifying a suspicious pattern, checking it in other data sources, and creating a rule or threshold as triggers for a response.
At the resolution layer, analytics are deployed to respond to an attack. “If link analysis shows me that this is not a single computer attacking, but a number of them, I will treat it more seriously,” says Orad. “If you apply analytics during resolution to the business risk involved and the risk is minimal, you may not do anything because you want the attackers to come in so you can watch them.” The decision as to how to react could be fully automated or just partially automated.
The third layer is cyber intelligence. “Intelligence at a granular level doesn’t tell you much,” says Orad, “you have to look at the bigger picture.” Intelligence feeds come from multiple external sources and analytics are applied to highlight what’s important, finding patterns in on-going attacks, understanding what information is bought and sold, and even pointing to a “smoking gun.” Knowing who is behind an attack, to a large extent determines the nature of the response. Expert analysts who can interpret the results of the data analysis are key to successful and valuable cyber intelligence mining.
At the command and control layer, analytics are deployed to help distil cyber intelligence and report the specific on-going cyber state of the organization to the relevant business executives. “You need tools for the CIO or the CISO to report up and manage down this noise,” says Orad. Managing up includes the company’s board of directors, as security is increasingly a board-level concern.
“To have maximum security, you need to disconnect the network and turn off your computer. The trick is to balance security and convenience, operational considerations and business risks,” says Orad. “Patching your software every week on Tuesday is a balance between convenience and security.” He adds that not all companies understand the importance of getting security professionals to work closely with business executives to find the right balance between security and convenience, weighing carefully the business and technology risks involved.
No comments:
Post a Comment