Fighting cyberwars with cyber-analytics

Were the United States at cyberwar, it would lose.

That's what Mike McConnell, former US Director of National Intelligence, told the US Senate in February.

Many government officials would probably assert that the US is already engaged in cyberwar, although it has not reached the point where attackers are taking down critical infrastructure (85 percent of which is privately owned), disrupting communications, or shutting down agencies. Many government officials from other countries might also say that their countries are engaged in cyberwars, though perhaps on a smaller scale – perhaps.

The trend is clear. For example, the number of incidents reported by US federal government agencies to the United States Computer Emergency Readiness Team (US-CERT) soared from 5,503 in 2006 to 16,843 in 2008 – a 206 percent increase. The number of incidents was almost surely understated because the report covered only detected incidents. In the always-on, always-connected world today, a new computer, if unprotected, can be scanned within seconds and infected with malware within minutes.

An army of millions
The types of threats and attacks are many and growing in volume, sophistication and agility. They come from foreign nations, criminal groups, hackers, hacktivists, disgruntled insiders and terrorists. The most serious, sophisticated and persistent attacks come from foreign governments and organized crime groups – sometimes working in tandem – that directly or indirectly employ hundreds of thousands of well-trained, highly motivated hackers and engineers.

The United States is by no means alone in bleeding terabytes of sensitive, proprietary, classified information and intellectual property. It just happens to be the biggest target.

The threats and attacks include denial of service, distributed denial of service, exploitation, logic bombs, sniffers, Trojan horses, viruses, worms, spyware, war-dialing, war-driving, spamming, phishing, spoofing, pharming and botnets – often in various combinations. PandaLabs estimates that 99.6 percent of all e-mail traffic directed to government mailboxes comprises spam or malicious messages – only 0.4 percent is legitimate.

Concern greater than ever Cyberdefenders are most concerned with attacks, particularly from insiders, aimed at stealing, modifying or destroying data. The relatively recent phenomenon of advanced persistent-threat attacks has raised the level of concern even higher. These attacks penetrate organizations and insert software programs that repeatedly steal or modify data – and typically exist for as long as eight months before being detected.

Government IT managers are losing sleep because the data they must protect is growing by terabytes every month. They are being inundated by masses of disconnected, uncorrelated data from all of their security systems. At the same time, the disparate and diverse systems that typically constitute IT infrastructures make it practically impossible to gain a comprehensive view of cybersituational awareness.

More sophisticated threats
Overworked and overstressed cyberdefenders spend most of their time plugging holes, fighting fires and patching their networks. They operate in perpetual catch-up mode against increasingly sophisticated attackers who rapidly respond to security fixes with newer, more sophisticated threats.

Some government agencies have established cybersecurity operations centers, which are great for network monitoring. But they haven't provided operators and analysts with the tools to understand what drives the attacks, intrusions and anomalies – what it all means, and what's going on. While dashboards, security information and event management systems are great for reporting what's happening and what happened, they're not much use in detecting and analyzing patterns, predicting future attacks, issuing alerts and warnings, or sketching out what-if scenarios.

According to Zalmai Azmi, the former CIO of the US FBI, in today’s cyber environment, all government agencies worldwide must increasingly accept the fact that they are engaged in cyberwarfare. In such an environment, says Azmi, cyberanalysts will need to employ tools and processes that correlate data, improve situational awareness and alleviate shortages of qualified IT security personnel.

Weapon of choice: cyber-analytics
Analytics can provide many of those tools and processes through statistical analysis and modeling – much as analytics can be applied to fraud detection, financial management or human resources.

Cyber-analytics can provide governments with enhanced and complementary capabilities and situational awareness about the security of their systems, networks and enterprises. It does this by monitoring activities; uncovering vulnerabilities, threats and patterns; integrating disparate data to find patterns and trends; and predicting future threats and attacks so agencies can take proactive measures to protect their data and networks.

Cyber-analytics can help government agencies meet two of their biggest challenges: coordinating cybersecurity efforts and producing practical metrics to quantify the effectiveness of those security efforts.

Cyber-analytics can also:

• Provide near-real-time monitoring that automatically generates attack alerts while simultaneously dramatically reducing the number of false positives.
• Aggregate, correlate and merge data from all network monitoring devices and other sources to provide enhanced network domain and situational awareness.
• Detect and score the severity of possible attacks before they happen to support prevention and timely interventions.
• Provide early recognition of anomalies in network traffic and uncover otherwise hidden relationships and behavior patterns that might indicate low and slow attacks.

Analytics contribute to a holistic view of the entire chessboard – where the pieces are located, both white and black. This holistic view helps government organizations significantly improve the coordination of their cybersecurity efforts and produce metrics that provide a more accurate picture of those efforts. Finally, analytics enable governments and corporations to better understand, use and protect their data, regardless of volume, condition, state or location.

Mitigating security risks
Government cyberdefenders can no longer follow the outdated paradigm of protecting the perimeter and patching, plugging and putting out fires. They can no longer view cyberspace tactically and react to threats and attacks, instead of taking a strategic view and being proactive. The threats and attacks are growing too fast and sophisticated and the enemies are smart, resourceful and agile. Forget script kiddies and hackers in basements – more often than not, the attackers are foreign governments and/or transnational criminal organizations.

Using analytics for cybersecurity enables government agencies to think and act strategically, be proactive in mitigating security risks, and defend their data and IT infrastructure. With analytics, IT security managers can become strategists who always look three or four moves ahead and play offense as well as defense. In other words, they can stop playing checkers and start playing chess.

Bio: Mark Kagan is a Washington, DC-based consultant and writer and long-time analyst on defense and foreign affairs, security, and intelligence.  He began his professional career as a defense intelligence analyst.