Cybersecurity: Locks are fine, alarms better

Big data is all around us. It's helping fast-food chains and retailers keep customers happy, and it's integral to the now very-public surveillance efforts employed by the intelligence community.

But for federal agencies, one of the most attractive uses of big data and the accompanying analytics it allows for may be in the realm of cyber defense.

While the cybersecurity measures most federal agencies employ continue to improve, statistics show an increasing prevalence of large-scale data breaches in the private sector that almost certainly translates to their government counterparts.

According to Bobby Caudill, global government program director for Teradata, new data suggests that if sophisticated outsiders – including a growing contingent of well-funded nation-state affiliated actors – want specific data, they will find a way to gain access to a system.

Instead of investing loads of money building better locks for protection, Caudill encouraged agencies to develop better alarms that use available data to determine when outsiders have gotten in.

"Big data analytics' capabilities have constantly improved and gotten more effective," said Caudill, speaking at an FCW cyber-security briefing Sept. 12 in Washington, D.C.

"We've got to look for ways to use data and analytics to recognize these things faster," Caudill said. "The threat landscape is larger. It's more lucrative now than it's ever been."

Caudill cited the banking and credit card industries as innovators in using analytics for improved fraud detection, and said the same analytics can help agencies detect threats and network intruders in near real-time.

The real-time aspect is huge, he said, because most companies and federal agencies aren't aware of data breaches until months after they occur.

According to Verizon's 2013 Data Breach Investigations Report (DBIR), which contains information on upwards of 47,000 cyber-security incidents and 621 confirmed data breaches reported by 19 worldwide partners over the past year, 66 percent of organizations "took months or more to discover" breaches.

Interestingly, the DBIR suggests that 70 percent of such breaches are discovered by external parties, not by the compromised organization. The most common breaches involve malware (40 percent), hacking (52 percent) or the exploitation of weak or stolen credentials (76 percent) according to the DBIR, and about 20 percent of all data breaches were perpetrated by state-affiliated actors such as China.

Imagine what kind of information an intruder could access with months to acclimate to a system, Caudill said.

Corporate attacks are most often driven by financial motives, according to DBIR, and intruders with months to operate could steal trade secrets, proprietary information and employee or customer data. The stakes can be at least as high in a federal environment. Tax data, Social Security numbers, classified and top secret information are all stored in massive quantities within federal networks.

Caudill, citing a Ponemon Institute study, said the problem is scarier for federal agencies because one-third aren't even planning on using big data analytics.

But Caudill said big data analytics has progressed sufficiently as a technology to search for anomalies in network data. Just as banks use analytics to analyze customer transactions and alert customers when iffy behavior occurs, federal agencies can monitor the behavior of users and traffic within their environments.

Caudill stressed that any system of situational awareness requires four key aspects: people, process, technology and data.

"If you leave out any of those things, you have a three-legged dog," Caudill said. "Now a three-legged dog can do some things, but…"

Steven Chabinsky, senior vice president of legal affairs and chief risk officer of Crowdstrike, said yesteryear's failed approaches to cybersecurity highlight the importance of analytics within network systems.

The world is dealing with more potent, tenacious adversaries than ever before, Chabinsky said, and the government isn't doing much in the way of stopping them.

Short of spending more money on identifying specific adversaries and targeting them with offensive cyber initiatives – something Chabinsky said the private sector would welcome– agencies should invest in better threat detection because the threats aren't going to stop.

Analytics represents the best current approach to identifying threats when they break through security, and the faster those threats are discovered and isolated, the less data they're likely to export and the less harm they're likely to inflict.

"We as a nation and security community have been following a failed approach to security," Chabinsky said. "It should not surprise anybody that we are failing miserably."