CyberSecurity Analytics to Combat Cyber Crimes IEEE ICCIC 2018 Keynote Address Professor Krishnan Nallaperumal Centre for Information Technology and Engineering Dean of Science, Manonmaniam Sundaranar university Tirunelveli, Tamilnadu, India
[email protected] Abstract—Traditional Cyber Security operates on the premise of deploying crime prevention technologies at the network perimeter as the dominant methodology with crime event management at the backseat. Contemporary heterogeneous business world demands network access to business partners via extranet, cloud services and home-working etc. makes SIEM - Security Information and Event Management into a complex and complicated task demanding deployment of Analytics tools in a big way to combat cyber crimes. Keywords—CyberSecurity; securityAnalytics; cyber crimes;
I.
INTRODUCTION
Investigations of Non-Cyber Crimes handled by Police personnel operate on the hypothesis that criminals will always leave some threads of crime-trace at the crime site unknowingly. Such traces give first information on the nature of crime to be investigated. Rare of the rarest cases, the crime investigators are left clueless by the intelligent criminals; such cases are closed with the tag "NOT TRACEABLE". In contrast, cyber Crimes are fully traceable as it happens in electronic media that registers every event. However, millions of cyber crimes go untraced, still worse, many are not even noticed. Most of the cyber crimes reported are economic crimes; victims are unaware of the ramifications of other types of cybercrimes. The root cause of all such problems are the unmanageable volumes of data clubbed with the ignorance of cyber citizens. We can effectively handle cyber crimes only with the help of AI empowered Security Analytics. II.
CONTOURS OF CYBER CRIMES
A. Why Do Cyber Crimes are exponentially higher than Physical Crimes? Animals thrive on the premise of 'Survival of the Fittest'. The Social Animals, the so called 'Wisdom empowered Mankind' is protected by the multi-layered Social Structures like Family, Country, Ethics, Civil and Criminal Laws etc. that prevent them to indulge in physical criminal activities that will affect their social status and livelihood. Cyber space provide a perceivable invisibility that emboldens the otherwise cultured social animals indulge in all sorts of criminal activities in the cyber space. Further, cyber crimes are not perceived as heinous crimes on a par with non-cyber crimes by the society at large are also catalysts to cyber crimes. B. Types of Cyber Crimes Cyber bullying and harassment, Conditioning Social Media for Electoral Gains, Damaging Trade Brands or
978-1-5386-1507-2/18/$31.00 ©2018 IEEE
Promoting Unworthy Products, Financial extortion, Ransomeware, Internet bomb threats, Classified global security data theft, Password trafficking, Enterprise trade secret theft, Personally data hacking, Copyright violations such as software piracy, Counterfeit trademarks, Illegal weapon trafficking, Online child pornography, Credit card theft and fraud, Email phishing, Domain name hijacking and Virus spreading are some of the cyber crimes listed. Many victims of cyber crimes are unaware of their being the victims is the real tragedy of many cyber crimes. III.
DAWN OF SECURITY ANALYTICS
CyberMedia Players of all categories owe access to appropriate technical solutions to their stakeholders whenever cyber attacks are unleashed on the stakeholders. Such technical solutions are essential to combat cyber crimes. A. Data Thefts Precede CyberCrimes News Reports on instances of businesses being compromised by cyber threats are on an unprecedented scale seen never before. Any cyber attack succeeded in stealing customer data or intellectual property will consequently be used in or assist fraudulent activities of cyber Crimes. Such data theft incidents will lead to loss of customers' faith in the organizations leading to loss of business and reputation of the organisation. This can be averted by placing adequate measures and preparedness to handle any intentional or unintentional breach of data leading to cyber crimes. B. Lethargic Attitudes Unfortunately only 25% of organizations are prepared to handle cyber incidents in terms of predicting precisely the impact of such cyber incidents and capability to detect such incidents immediately after it happened, say, within 12 hours of the event. The phenomenal rise of such cyber security breaches and their adverse impact on the business are now only acknowledged by board-level executives (As per a research report of Economist Intelligence Unit, funded by Arbor Networks) C. Everyone Should be Concerned The concern for security, risk and compliance should trickle down from the board-level to the last worker in the field-level so that everyone in the organization becomes fit to handle cyber security incidents. Board-level executives should budget for handling plans and training including mock-drills
2018 IEEE International Conference on Computational Intelligence and Computing Research
to handle cyber security breaches that are very crucial to make the organization to respond and handle cyber incidents. D. Complexity of Modern Networks Modern networking that include penetration of laptops, palmtops, granting access to business partners via extranet, cloud services, and home-working workforce etc. have collectively made the task of securing the data within an organization into a nightmare. As hackers employ sophisticated tools and techniques to crack the complexity of even the most secured networks, 24x7 cyber security watch and ward with more ammunitions are a necessity now. CyberSecurity Analytics Tools come handy to provide solutions for incident handling teams to combat cyber crimes. E. Limitations of Conventional Cyber Security Architectures Conventional Cyber Security Architectures have focused on preventing threats from entering their networks by designing layered solutions at the perimeter of Networks in an organization. The problem with such Security Architectures are that they provide a very minimal threat detection capabilities to handle any threat that has penetrated the perimeter of the security network (using phishing and watering hole style attacks on a weak password, for instance). F. Role of Security Analytics Security Analytics helps immensely to detect and analyze threats that are already inside the network of an organization very quickly. Security Analytics provide tools that do the functions of specialist cyber security services with graphical displays of rows and columns to make the job of security specialist easier to spot trends and suspicious activities running over longer time frames. G. Security Analytics Tools Minimize the time to identify, investigate and Resolve a problem Security Analytics solutions provide efficient tools to the incident-handling teams allowing inner view of the network traffic and user activities spread over several days, weeks and even months. The security team can navigate through all these information in real time. Security Analytics solutions will drastically reduce the time taken in the identification of a problem, its investigation and the resolution, thereby will minimize the adverse impact on a business and reduces the risk that attackers will make off with customer data or business intellectual property. H. Birth of CyberSecurity Analytics Security Analytics was never considered as a primary help weapon to fight cybercrime in the eyes of Cyber Security professionals for a long time. When intrusions cannot be prevented in total, and we witness many intrusions are happening in reality, we need to include Security Analytics in the team of Cyber Security Professionals. We need to remember that with the occurrence of every successful intrusion, the attacker creates a network event trail that provides a fingerprint of the intruder, marking the steps he’s taking in the network to pursue his criminal activity.
IV.
ANALYTICS MECHANISMS FOR FIXING CYBER CRIMES
The data generated by the attacker’s actions is the trackmark of cybercrime and this becomes the reason for security analytics evolving as an indispensable weapon to the CyberSecurity team. We possess the data to investigate and should deploy analytics to fight the cybercrime. There are multiple analytics tools available today that have the ability to gather and monitor the cyber crime data available to perform faster cybercrime detection. The goal for the CyberSecurity team will be to figure out how to make that data work for you. With more volumes of data, you need analytics to organize, contextualize and ultimately find the hidden meaning. For instance, just consider the simple log file that documents a system’s events. This log data is a good source for tracking down a cyber crime – after it happened. Any breach located in a certain area in the log data will give an excellent clue to the point of intrusion. The information derived from such log file data are very crucial for two reasons; as the contemporary networks consists of staff, business partners and customers accessing data from the outside of the network's firewall perimeter, log data from the number of such outer connections are of primary important; Second, the fact that people use multiple gadgets and systems to access the network leading to the exponential increase in the volume of log data make the case of security analytics very strong. This is being cited by Mr. David Shackleford, a SANS analyst, in a report as the fit case for using cyber Analytics to predict future attacks and breaches to overcome the limitations of traditional detection tools. Mr. Shackleford's report[1] analyzes and evaluates contemporary cyberAttack detection technologies tools ranging from simple logging, network device events tools to SIEM - Security Information and Event Management and file integrity monitoring tools. He observed that these very important network defense tools also find it difficult to fight modern cybercrimes in view of the voluminous data generated by them. When Cyber Security Teams employ several events detection controls in their response processes, the chances of missing crucial events and indicators of compromises are many. Combining CyberSecurity with Analytics enables better network visibility. There are three areas in CyberSecurity demanding the application of Analytics to convert the voluminous security data into precise vital security information. A. Establish Business Context behind the Behaviour Since we deal with massive network data containing a lot of complex data, our first area of importance is to "Establish Business Context behind the Behaviour". For instance, the information on how a specific computer systems acts with reference to the other computers in the network will provide vital clue to evaluate whether its behaviour normal.
2018 IEEE International Conference on Computational Intelligence and Computing Research
B. Enabling to find Meaningful Patterns and Connections The specialty of 'Security Analytics' is that it does bulk load of work intelligently for the Cyber Security Team that need not have to consistently scan through the data to look for 'security breach events' that raise issues requiring further investigation. The Machine Intelligence power of 'Security Analytics' finds patterns and connections by going deeper into the data, that would not be possible otherwise. C. Integrating Security Analytics with Incident Response Program We need to ensure the visibility and availability of answers obtained from Security analytics to reach the Incidence Response team; for this, we need to integrate Security Analytics into the incident response program. D. Predictive Security Analytics Predictive Analytics is all about what can be done before an attack takes place. It deals with the list of DOs, if there is a possibility of an attack and predicting an attack. Predictive Security Analytics helps security experts to determine the possibility of an attack and helps set up defense mechanisms even before hackers try and attack.
sniff packets in the data. Some Competing Technologies available today that enable this capabilities are listed below: • Sandboxing: trap files and pull them apart • Network Behavior: Track activity on the network • Packet Capture: Retain full packet capture These technologies are Hardware and processor intensive products that are greatly beneficial in IR and forensics. BA: Host-Based Behavior Analyzers have a very busy area for competing technologies. We are listing some among them here with their specific capabilities: • Sandboxing: trap files and pull them apart; • System behavior: tracks system calls, watches for series of suspicious calls in the system; • Application whitelisting: will allow only trusted applications to run; • Statistical Analysis: performs probability analysis of files being malware and reports the same; • Memory / Kernel Monitoring: is Watchdog core OS;
Go Beyond Signatures: Tracking the trail or signature of the attacker is one way to help detect the next crime quicker, but it does not help in prevention of the first crime anyways. With the help of cyber analytics, experts can monitor activity across multiple networks and data streams through anomaly detection techniques and self-learning analytics, involving Predictive Analytics and Machine Learning.
• Classic Endpoint: AV, IPS, App Control and USB Control capable tool;
This actually helps identify threats as they occur and this concept goes beyond the signature tracking technology. Cyber Security Analytics also helps quickly detect anomalies in data streams and network traffic and minimize false positive alerts.
• Tracking user logins and actions across networks, applications
The components of Elementary Security Analytics are Behaviour Analytics, Data Analysis, Forensics Analysis and Threat Intelligence. E. Behaviour Analytics Behaviour Analytics deploys Behaviour Analyzer (BA) tools, also known as Breach Detection or Kill-Chain Analyzers. BA is a class of technologies that analyzes behavior for Indicators of Compromise (IoC). Examples of some classes of BA products: • Network (Breach-detection) • Host (APT, advanced endpoint) • User Identity • Cloud • Dark-Web Intelligence Uses threat intelligence to be more accurate BA is not Data loss prevention (DLP), and DLP is not BA – but they are close. BA: Network-Based and Full-Packet Capture Behaviour Analyzers are technologies that are on the lookout for bad stuff
• Data Loss Prevention: monitors for sensitive content; • Endpoint Activity: Full screen capture of use behavior; BA: Identity-Based Behavior Analyzers does IdentityBased behaviour analysis armed with the capability of
• Creating baseline of user behavior and spotting anomalies Identity based Behaviour Analyzers require endpoint or directory services integration, have benefits for internal operations as well. It is to be noted that the Cloud-based access brokers are only a form of identity-based Behaviour Analyzer and they can connect with other IdM technologies. BA: Cloud-Based Behavior Analyzers - Behavioral analytics is a combination of machine learning, artificial intelligence, big data and analytics technologies to identify malicious, stealth behavior by analyzing subtle differences in normal, everyday activities in order to proactively stop cyber attacks before the attackers have the ability to fully execute their destructive plans. Cloud based behavior analysis system detects zero-day malware Instantly. Cloud-based Analytics in the cloud vs analytics of the cloud Messy myriad of technologies here • Cloud access and security brokers • Cloud web gateway products • Hybrid analytics platforms • SIEM-as-a-Service
2018 IEEE International Conference on Computational Intelligence and Computing Research
Cloud analysis is extremely difficult and is heavily dependent upon the cloud vendor. F. Dark Web Intelligence Dark-Web Intelligence is an security analytics technique that actively monitors ―dark web‖ for activities relevant to any specific business house that include monitoring activities like
I. Ten Commandments for Cyber Security Analytics Finally we shall conclude the keynote on Cyber Security analytics with the identification on Ten commandments for Cyber Security Analytics to be meticulously followed: 1. Get people, get money, get support 2. Master your SIEM
• Phishing attacks
3. Build an Incident Response Plan (IRP)
• PII in the wild
4. Implement a core NGFW
• Threats against the company / executives
5. Implement network-based behavior analyzer capabilities
• Highly specialized service offerings
6. Augment outbound web filtering / proxy
Dark-Web Intelligence is often used for brand protection and personnel security. G. Security Analytics Incident Response Tools Many of these tools can feed an Incident Response Program (IRP). Indicators of Compromise (IoCs) are the evidences that a cyber-attack has indeed taken place. Many products include or offer IoC tracking and case management. However, None of them can work on a stand alone basis. Data is extremely valuable in an incident Prerequisites. To carry out such activities we need • Solid incident response plan / program • Storage of data long enough to actually measure response • Real, live humans looking at the data • Organizational ability to handle such incidents H. SOC (System On Chip) based Cyber Security Analytics Is SOC (System On Chip) based Cyber Security the Future? The next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line Deep Packet Inspection (DPI), an Intrusion Prevention System (IPS) with the following components: • IDS/IPS • Web filtering • Application control • Endpoint AntiVirus • Vulnerability management • Patching • SIEM (Security information and event management) • Data loss prevention (maybe) In other words, you need a mature security program on place. Finally, don’t Purchase Technology if you Can’t invest in People, that is crucial for success.
7. Integrate threat intelligence into your SIEM 8. Upgrade or augment endpoint detection capabilities 9. Start storing full-packet captures (consider converged platform) 10. Start hunting for attacks, rather than waiting for alerts V.
CONCLUSION
Hackers and Intruders carry out attacks by taking advantage of either the inability of the organizations in finding the indicators of compromises within their environments quickly or the delay occurs in responding to these incidents in fixing the problem quickly. The three guidelines provided above will empower the cyber security team to effectively employ CyberSecurity Analytics to identify and remedy several security holes. VI.
ACKNOWLEDGMENT
I thank profoundly Professor Dr.Krishnan Baskar, Vice Chancellor, Manonmaniam Sundaranar University, Tirunelveli for initiating the two Masters Programmes in Cyber Security and Data Analytics at our department; I thank with gratitude Professor Dr.Rama Subramanaian, Managing Director, Valiant Technologies, Chennai and Professor Dr.Madhava Somasundaram of the Department of Criminology and Criminal Justice, Manonmaniam sundaranar University, Tirunelveli for sharing their innovative ideas on Cyber Security liberally with me. I thank profoundly Professor Dr.M.Karthikeyan for inviting me to offer this keynote address. REFERENCES [1] [2]
[3] [4]
Dave Shackleford, "Using Analytics to Predict Future Attacks and Breaches", A SANS Whitepaper, Jan. 2016, SAS Thomas A. Runkler, "Data Analytics - Models and Algorithms for Intelligent Data Analysis", 2nd Edition, © Springer Fachmedien Wiesbaden 2016. David Willson, "Cyber Security Awareness for CEOs and Management", Syngress is an imprint of Elsevier, 2016 Elsevier Inc.. Sandy Bacik, "Building an Effective Information Security Policy Architecture", CRC Press 2008.