How to catch a cyberattack

By Sheldon Shaw, Cyberanalytics Specialist, SAS

Most economic prosperity depends on successfully protecting our computing infrastructures as well as the networks that connect them from cyberattacks. Business, government, education, even culture, all function through and over computing infrastructures. To date, we’ve protected our infrastructures from cyberattacks through various technologies with the mindset that if we upgraded to the next version, we'd be better protected from more, complex and bigger cyberattacks.

SANS: Using Analytics to Predict Future Attacks and Breaches

By bringing the analysis to security and business data and not just data to the security analyst, these solutions can help organizations reduce the time it takes to detect and contain a network compromise.

The status quo is slow

For the last 20 years, most of the cybersecurity market (and the solutions within it) have operated with signature-based defenses. The assumption behind these types of defenses is that after a cyberattack, someone eventually catches it and designs a way to detect the exact same cyberattack elsewhere.

What’s the problem with this approach? The time it takes – valuable time that the organization remains unprotected. There’s the time to detect the cyberattack, the time to create a signature for it, and the time to distribute and implement the signature throughout the organization. End-to-end, this process can sometimes take weeks or even months.

Yet, even if our defenses are all up to date, attackers are still finding a way into our infrastructures and out with our sensitive information – at an increasingly rapid pace and scale. Clearly, the market is ripe for a change.

Can you get value out of volume?

Security teams have sought to get ahead of cyberattackers in their networks by using the alert data generated by all these defensive systems. But the volume of this data can be overwhelming. Many organizations use security information and event management tools to analyze and boil down their alerts to the “critical few.” The problem with this approach is twofold. First, the critical few are still too many for all but the most highly staffed organizations to respond to in a timely manner. Second, a great deal of diagnostic effort and data analysis must still occur to get value out of the resulting information.

Cyberattack analysis

So, what’s the solution? Clearly, all of the aforementioned tools are necessary and play a valuable role in organizational defenses. But the missing ingredient is a timely, relevant and concise analysis of all organizational data, not just security data, for a full understanding of network behavior. This is where solutions that combine the power of big data with advanced predictive analytics can play a role in thwarting a cyberattack. By bringing the analysis to security and business data and not just data to the security analyst, these solutions can help organizations reduce the time it takes to detect and contain a network compromise.

Explore how you can reduce the time to detect and contain a network compromise. For more information, check out the SAS® Cybersecurity web page. 


Sheldon Shaw

Sheldon Shaw is a cyberanalytics specialist with SAS. Having spent 15 years in the intelligence community, Shaw worked in nuclear counter-proliferation issues and information operations. He has also managed investigative teams that tracked national security intrusions into government systems. He is a Certified Intrusion Analyst and holds a degree from Acadia University.

Back to Top