Data-driven cyberthreat detection

A cybersecurity case study from the trenches


Web attacks. Electronic espionage. Network or point-of-sale intrusions. Payment card skimmers. Denial of service attacks and even insider misuse. Cybersecurity threats run deep and affect all industries, exploiting vulnerabilities, destroying profits and eroding customers’ trust. 

The vast amounts of sensitive data collected and stored today are attractive targets. Disrupting the operations of mission-critical systems might be the work of school-age boys down the street or highly trained employees of unfriendly nations. Motivations may differ, but it’s clear that cyberattacks are growing in sophistication and intensity.

Download SANS: Using Analytics to Predict Future Attacks and Breaches

Compromised by cybercrime

A few years ago, the high-security network computing system of a large US information services provider was hacked by some enterprising teenagers. The incident was a major blow to the company’s IT security establishment, as it had invested heavily in bolstering the security infrastructure following an earlier breach. As it turns out, the company was learning the hard way what many in IT security now have come to accept: Your network is only as secure as its weakest link—the user.

The company housed a large database of personal data, including sensitive, private information such as Social Security numbers, as well as individuals’ public record data. The database was primarily accessed through the web by the company’s myriad customers, ranging from law enforcement agencies to private debt collectors.

The forensic investigation revealed that the security breach and the subsequent exfiltration of personal data were executed through a legitimate account and credentials of a state law enforcement officer. The officer’s endpoint machine was compromised by the hackers, who lured the officer into downloading a keylogger — a keystroke recorder that captures the user’s activity—via a phishing scam.

Blocking future intruders

Smarting from the costly litigations and the massive public relations backlash that followed, the company sought a better, data-driven and analytically derived intrusion detection system — one that would augment and complement its existing security.

Under guidance from the SAS Advanced Analytics Lab, the customer initiated a project to demonstrate the value of analytics and data mining in detecting malicious user activity within the customer’s network. Project data included:

  • Web and system logs of user activity, such as login and logout, search and browser transaction history.
  • User metadata, such as name, organization and other organizational details.
  • Call center and service logs, such as requests for changes.
  • A variety of other data, such as blacklists of users and IPs.

The company used behavior-based analytics to detect unusual and extreme user behavior. This included the use of historical activity or usage patterns to establish “normal” behaviors that can be used to monitor future activity.

The detection engine uses a variety of analytical methods, including simple business rules that tracked known suspicious user behavior; univariate and multivariate anomaly detection that utilized peer group comparisons; and link analytics that identified potential collusive activity. Alerts generated by the detection engine are displayed in a security dashboard used by the analysts in the company’s security operations center. Security analysts agree that the detection engine provides a new perspective they never had with their existing security tools. Of particular value are the aggregated views of not only the user, but the IPs, businesses and groups of linked users, as well as intuitive threat risk scoring. Initial results validate many of the known threats that the security team was already tracking, and the system will generate alerts on a near-real-time basis.

Drive detection with analytics

As this company learned, being able to detect and prevent potential data breaches is crucial. Analytics provides the ability to process and get insight from the volumes of disparate data and stay ahead of cybercrime.


Read More

Get More Insights


Want more Insights from SAS? Subscribe to our Insights newsletter. Or check back often to get more insights on the topics you care about, including analytics, big data, data management, marketing, and risk & fraud.

Back to Top