Following the Network Event Trail: Defeating Cyber Attacks Through Analytics

With cyberattacks increasing in volume and sophistication, interest in the use of cyber analytics tools in order to predict future breaches and attacks is on the rise.

That includes analyzing the clues left by prior attacks – the network event trail – for patterns that can help in identifying potential attempts at a breach.

“Every breach creates anomalies in the network, like a thief leaving DNA evidence at the scene of a crime,” says Dr. William Butler, chair of Capitol Technology University’s cybersecurity program. “A skilled analyst can use this information to identify patterns of attack. Algorithms can then be developed that look for these patterns and red flag them to cybersecurity teams.”

Being able to accurately flag anomalies is important, in part, because of the sheer volume of network data coming in. Cybersecurity professionals have access to petabytes worth of information – log files, packet inspection systems, records of websites accessed – but often lack a reliable way to distinguish the signal from the noise.

As a result, the fight against hackers is turning into an uphill battle, the SANS Institute reported in a recent paper.

 “Attackers are taking advantage of the fact that organizations are not finding the indicators of compromise within their environments soon enough, nor are they responding to these incidents and removing them quickly enough,” the paper’s author, Dave Shackleford, noted.

According to the Ponemon 2017 Cost of a Data Breach Study, U.S. companies took an average of 206 days to detect a data breach. Mandiant’s M-Trends 2017 report noted that 53% of breaches were discovered by an external source and not the company’s staff.

The good news: cyber analytics holds out the promise of fine-tuning the search and more precisely identifying the likely vectors of attack – thus enabling cybersecurity teams to make surer decisions about their organizations’ cybersecurity postures.

“We’re seeing heightened interest in analytical techniques as the cybersecurity profession seeks to keep a step ahead of adversaries,” Butler said.

The increased interest, in part, reflects a realization that breaches cannot be prevented entirely – given the number of adversaries, attack surfaces, and potential vulnerabilities, sooner or later an adversary will get through. 

"It is important to remember that cybersecurity is not necessarily about, having tools that keep us from getting attacked. In a perfect world that is what we want, but it's not likely,” said Dr. Mary Margaret Chantré, assistant professor in the cyber security and cyber analytics programs.

“Cybersecurity is about the ability to be resilient to attacks and recovery quickly. A cyber analyst looks at mistakes made in the past and tries to avoid them in the present so he/she can predict possible future attacks. This type of situational awareness helps minimize risk," Chantré said.

In examining threats, cyber analysts not only use traditional methods of statistical analysis – identifying a normal distribution pattern and then recording signification deviation – but also machine learning and algorithmic-based techniques, such as clustering and density estimation.

“It’s a very exciting time to be doing analytics,” Butler said, “both because of the advances in methodology and also the availability of software that can handle data at quantities far beyond the capabilities of an individual human.”

With the rising interest in analytics comes a need for training and education – and Capitol Technology University is meeting the need with undergraduate and graduate programs. The university is one of the first worldwide to launch a cyber analytics degree. In addition to a bachelor of science in cyber analytics, Capitol also offers an online master’s in the field.

Capitol has long been a leader in cybersecurity education, earning three successive Center for Excellence designations from the Department of Homeland Security and the National Security Agency. 

“With more and more cyber analysts working side by side with cybersecurity professionals, the two fields are a natural fit.”