This is the year government will press forward with cyber defense strategies to address the threats that made headlines in 2013 – insider threats, for instance, and the need for log data in projects such as the HealthCare.gov website – but with the added complexity of fewer resources and an ever-evolving threat landscape.
Big data does two major things for agencies countering cyber threats. First, it saves money and time. The ability to quickly find, assemble and analyze information from disparate sources to identify patterns of anomalous network or host behavior can lead to the faster detection and response to cyber threats. Big data also sets the stage for “aha moments,” when security analysts make discoveries and innovate in ways they hadn’t before. This could mean discoveries about citizen behavior on public-facing websites and applications that allow for innovation and better service or about new techniques terrorists are using to hack into secure government networks.
Agencies will increasingly rely on big data solutions to see all relevant data for security and information technology operations, and that will lead to unprecedented (and sometimes unpleasant) discoveries about their security posture. This is especially important as government faces the cyber threats of 2014, which will require innovation and creativity to protect systems and data.
Consider Employee Stress When Analyzing Big Data Patterns
Insider threats will undoubtedly be top of mind this year, and agencies will need to reexamine how data is used, categorized and accessed by employees and contractors. This means deploying big data analytics tools to analyze activity on their networks, servers and devices for potential anomalous behavior occurring within their roster of trusted insiders. For example, a simple search that uncovers a particular IP address logging into a system can oftentimes detect insider threats because it offers insight into a pattern of behavior of who is using a specific login to access many different types of information. Analytics tools can decipher if an IP address doesn’t match up with the IP address associated with the cleared individual who has access those data sets.
In addition to monitoring, analyzing and correlating IT data, agencies need to consider the psychological factors involved in the case of insider threats. For example, if an employee or contractor has three new residential addresses or three new phone numbers in a very short period of time, this can signal a particularly stressful period. Other potentially relevant emotional triggers or indicators include a recent change in marital status or a dramatic change in types of Internet sites visited as viewed in proxy data. Big data analytics should be used to look across data sets in context to gain a better understanding of employee stresses, how these can affect behavior and how those behaviors can manifest themselves as risks to the organization.
Coupling pattern analysis of network, data and system access through the lens of data representing potential psychological changes is absolutely necessary to understand insider threats.
Kill-Chain: Big Data and the Six Steps to Mark a Threat
Kill-chain will be among the biggest buzzwords in 2014. As defined by the MITRE Corporation, the kill-chain analysis is a series of steps that mark the typical process of a cyberthreat: reconnaissance, weaponization, delivery, exploitation, command and control, execution and maintenance. Agencies will begin to rely on kill-chain analysis to break down and analyze events and to understand how to best halt attacks that are already in motion.
Kill-chain analysis can provide a deeper dive into each phase and understand how to stop attackers at any particular phase of the attack itself. This requires a big data approach because agencies need to know as much as possible about their IT environments. This is made possible by analyzing credentialed activity data from multiple sources and knowing what amounts or types of activities are normal or not normal using statistical analysis and base lining. Recognizing any large file transfers out of their networks, identifying insider threats and so on. The kill-chain analysis will become a popular methodology for threat analysis in government as threats become more sophisticated and difficult to stop in real-time.
The Importance of Log Data
Complications surrounding the rollout of HealthCare.gov have left little doubt that government IT procurement reform will be a 2014 priority and that the purchase of big data log analysis tools to help discover security and operational errors prior to an application’s launch will become mandatory.
Log data is going to become front and center as procurement reform moves forward because this is where IT administrators can uncover errors and understand activity at the application level. Agencies will increasingly look to big data solutions to gather all their log data in a single place, index those logs and then look at transactions in the data across the architecture stack.
Government can look to the private sector for log data lessons. Etsy, for example, is an e-commerce site that currently has more than 30 million users. Etsy uses big data analytics tools to search and identify anomalous patterns in access logs and error logs, such as cross-site scripting and increasing failed log-in rates, to help guarantee uptime and full security of the site.
Big Data Remains Top of Mind
No matter how you slice it, big data is the common theme in what is needed to help agencies adapt to the evolving threat landscape. This is the year official policies will clearly define the right methodologies, strategies and tools and techniques agencies should use to protect their sensitive data. The private and public sectors will continue to work together toward the common goal of national security, and the innovations derived from these partnerships will be what drive government’s response to attacks on the cyber front. Big data will be the key to understanding all of the risks agencies face.
Mark Seward is senior director of security and compliance at Splunk.