How to beat Heartbleed

Traditional security technologies can’t detect the bug, but high-performance analytics can

By Jen Dunham, Security Intelligence Practice, SAS

Sometimes, when you look at a problem in retrospect, you see that it could have been avoided or at least minimized. Heartbleed is a great example of that. You see, many security operations centers and security firms rely on “cyber-in-a-box” solutions for their cybersecurity. Not good – and now they know that.

Heartbleed has been around for years. Why haven’t these guys detected the anomalous behaviors? It’s because the rules-based system they use couldn’t have seen Heartbleed or any low and slow signal – unless it already knew to look for it.

High-performance analytics is critical for the type of behavioral analysis you would need to detect this type of vulnerability. It offers the agility and scope to look for anomalies in massive amounts of data over very long periods of time. And you don’t have to know what you’re looking for!

That would have been very helpful in this situation.

Patches – too little, too late

Since the announcement of the bug, most organizations and government agencies have implemented a patch to forestall criminal access to their data and help restore consumer faith. You can patch and mend, but that happens too late. The patch may reduce your vulnerability to Heartbleed, but it doesn’t guarantee something like this won’t get through again. No vendor can unequivocally guarantee that a certificate or SSL can’t be stolen.


High-performance analytics is critical for the type of behavioral analysis you would need to detect this type of vulnerability.

And bad actors know to keep looking for those opportunities.

So what can you do?

Commonly used security tools are no match against a security hole like Heartbleed when data volumes are very high or a long timeline is involved. But fast analysis and clustering algorithms can identify “clusters” of abnormal activity – in the Heartbleed case it’s the anomaly of slightly larger data transfers in the ongoing pulse (or heartbeat) of the SSL connection over long periods of time.

It is a big challenge to compute the basis of normal machine-to-machine interactions and correlate this flow data with IPS/IDS alerts, IP reputation and business context. This would be nearly impossible by common methods, but it’s exactly the type of risk detection that high-performance analytics is suited for.

And high-performance analytics can help you detect other difficult-to-find dangers. For instance, the low and slow signal of botnet command and control is hard to detect outside a high-performance analytic environment as the signal-to-noise ratio is too great. In this case, the anomaly is the “transaction” or beaconing.

SAS is building on its proven fraud-fighting capabilities to target research and development on cybersecurity analytics. With SAS® advanced analytics, we hope to detect the next Heartbleed and other sophisticated cyberattacks.

Read more about SAS® High-Performance Analytics and how we can help you with your big data problems.


Read More

Back to Top