2018 IEEE ICCIC Keynote+ppt PDF
2018 IEEE ICCIC Keynote+ppt PDF
2018 IEEE ICCIC Keynote+ppt PDF
Abstract—Traditional Cyber Security operates on the premise Promoting Unworthy Products, Financial extortion,
of deploying crime prevention technologies at the network Ransomeware, Internet bomb threats, Classified global
perimeter as the dominant methodology with crime event security data theft, Password trafficking, Enterprise trade
management at the backseat. Contemporary heterogeneous secret theft, Personally data hacking, Copyright violations
business world demands network access to business partners such as software piracy, Counterfeit trademarks, Illegal
via extranet, cloud services and home-working etc. makes weapon trafficking, Online child pornography, Credit card
SIEM - Security Information and Event Management into a theft and fraud, Email phishing, Domain name hijacking and
complex and complicated task demanding deployment of Virus spreading are some of the cyber crimes listed. Many
Analytics tools in a big way to combat cyber crimes. victims of cyber crimes are unaware of their being the victims
Keywords—CyberSecurity; securityAnalytics; cyber crimes;
is the real tragedy of many cyber crimes.
to handle cyber security breaches that are very crucial to make IV. ANALYTICS MECHANISMS FOR FIXING CYBER
the organization to respond and handle cyber incidents. CRIMES
D. Complexity of Modern Networks The data generated by the attacker’s actions is the track-
Modern networking that include penetration of laptops, mark of cybercrime and this becomes the reason for security
palmtops, granting access to business partners via extranet, analytics evolving as an indispensable weapon to the
cloud services, and home-working workforce etc. have CyberSecurity team. We possess the data to investigate and
collectively made the task of securing the data within an should deploy analytics to fight the cybercrime. There are
organization into a nightmare. As hackers employ multiple analytics tools available today that have the ability to
sophisticated tools and techniques to crack the complexity of gather and monitor the cyber crime data available to perform
even the most secured networks, 24x7 cyber security watch faster cybercrime detection.
and ward with more ammunitions are a necessity now. The goal for the CyberSecurity team will be to figure out
CyberSecurity Analytics Tools come handy to provide how to make that data work for you. With more volumes of
solutions for incident handling teams to combat cyber crimes. data, you need analytics to organize, contextualize and
E. Limitations of Conventional Cyber Security Architectures ultimately find the hidden meaning.
Conventional Cyber Security Architectures have focused For instance, just consider the simple log file that
on preventing threats from entering their networks by documents a system’s events. This log data is a good source
designing layered solutions at the perimeter of Networks in an for tracking down a cyber crime – after it happened. Any
organization. The problem with such Security Architectures breach located in a certain area in the log data will give an
are that they provide a very minimal threat detection excellent clue to the point of intrusion.
capabilities to handle any threat that has penetrated the The information derived from such log file data are very
perimeter of the security network (using phishing and crucial for two reasons; as the contemporary networks consists
watering hole style attacks on a weak password, for instance). of staff, business partners and customers accessing data from
F. Role of Security Analytics the outside of the network's firewall perimeter, log data from
the number of such outer connections are of primary
Security Analytics helps immensely to detect and analyze
important; Second, the fact that people use multiple gadgets
threats that are already inside the network of an organization
and systems to access the network leading to the exponential
very quickly. Security Analytics provide tools that do the
increase in the volume of log data make the case of security
functions of specialist cyber security services with graphical
analytics very strong.
displays of rows and columns to make the job of security
specialist easier to spot trends and suspicious activities This is being cited by Mr. David Shackleford, a SANS
running over longer time frames. analyst, in a report as the fit case for using cyber Analytics to
predict future attacks and breaches to overcome the limitations
G. Security Analytics Tools Minimize the time to identify,
of traditional detection tools.
investigate and Resolve a problem
Security Analytics solutions provide efficient tools to the Mr. Shackleford's report[1] analyzes and evaluates
incident-handling teams allowing inner view of the network contemporary cyberAttack detection technologies tools
traffic and user activities spread over several days, weeks and ranging from simple logging, network device events tools to
even months. The security team can navigate through all these SIEM - Security Information and Event Management and file
information in real time. Security Analytics solutions will integrity monitoring tools. He observed that these very
drastically reduce the time taken in the identification of a important network defense tools also find it difficult to fight
problem, its investigation and the resolution, thereby will modern cybercrimes in view of the voluminous data generated
minimize the adverse impact on a business and reduces the by them. When Cyber Security Teams employ several events
risk that attackers will make off with customer data or detection controls in their response processes, the chances of
business intellectual property. missing crucial events and indicators of compromises are
many.
H. Birth of CyberSecurity Analytics
Combining CyberSecurity with Analytics enables better
Security Analytics was never considered as a primary help network visibility. There are three areas in CyberSecurity
weapon to fight cybercrime in the eyes of Cyber Security demanding the application of Analytics to convert the
professionals for a long time. voluminous security data into precise vital security
When intrusions cannot be prevented in total, and we information.
witness many intrusions are happening in reality, we need to A. Establish Business Context behind the Behaviour
include Security Analytics in the team of Cyber Security
Professionals. We need to remember that with the occurrence Since we deal with massive network data containing a
of every successful intrusion, the attacker creates a network lot of complex data, our first area of importance is to
event trail that provides a fingerprint of the intruder, marking "Establish Business Context behind the Behaviour". For
the steps he’s taking in the network to pursue his criminal instance, the information on how a specific computer systems
activity. acts with reference to the other computers in the network will
provide vital clue to evaluate whether its behaviour normal.
2018 IEEE International Conference on Computational Intelligence and Computing Research
B. Enabling to find Meaningful Patterns and Connections sniff packets in the data. Some Competing Technologies
The specialty of 'Security Analytics' is that it does bulk available today that enable this capabilities are listed below:
load of work intelligently for the Cyber Security Team that • Sandboxing: trap files and pull them apart
need not have to consistently scan through the data to look for
'security breach events' that raise issues requiring further • Network Behavior: Track activity on the network
investigation. The Machine Intelligence power of 'Security • Packet Capture: Retain full packet capture
Analytics' finds patterns and connections by going deeper into
These technologies are Hardware and processor intensive
the data, that would not be possible otherwise.
products that are greatly beneficial in IR and forensics.
C. Integrating Security Analytics with Incident Response
BA: Host-Based Behavior Analyzers have a very busy
Program area for competing technologies. We are listing some among
We need to ensure the visibility and availability of answers them here with their specific capabilities:
obtained from Security analytics to reach the Incidence
Response team; for this, we need to integrate Security • Sandboxing: trap files and pull them apart;
Analytics into the incident response program. • System behavior: tracks system calls, watches for series
D. Predictive Security Analytics of suspicious calls in the system;
Predictive Analytics is all about what can be done before • Application whitelisting: will allow only trusted
an attack takes place. It deals with the list of DOs, if there is a applications to run;
possibility of an attack and predicting an attack. Predictive • Statistical Analysis: performs probability analysis of files
Security Analytics helps security experts to determine the being malware and reports the same;
possibility of an attack and helps set up defense mechanisms
even before hackers try and attack. • Memory / Kernel Monitoring: is Watchdog core OS;
Go Beyond Signatures: Tracking the trail or signature of • Classic Endpoint: AV, IPS, App Control and USB
the attacker is one way to help detect the next crime quicker, Control capable tool;
but it does not help in prevention of the first crime anyways.
• Data Loss Prevention: monitors for sensitive content;
With the help of cyber analytics, experts can monitor activity
across multiple networks and data streams through anomaly • Endpoint Activity: Full screen capture of use behavior;
detection techniques and self-learning analytics, involving
Predictive Analytics and Machine Learning. BA: Identity-Based Behavior Analyzers does Identity-
Based behaviour analysis armed with the capability of
This actually helps identify threats as they occur and this
concept goes beyond the signature tracking technology. Cyber • Tracking user logins and actions across networks,
Security Analytics also helps quickly detect anomalies in data applications
streams and network traffic and minimize false positive alerts. • Creating baseline of user behavior and spotting
The components of Elementary Security Analytics are anomalies
Behaviour Analytics, Data Analysis, Forensics Analysis and Identity based Behaviour Analyzers require endpoint or
Threat Intelligence. directory services integration, have benefits for internal
E. Behaviour Analytics operations as well. It is to be noted that the Cloud-based
access brokers are only a form of identity-based Behaviour
Behaviour Analytics deploys Behaviour Analyzer (BA) Analyzer and they can connect with other IdM technologies.
tools, also known as Breach Detection or Kill-Chain
Analyzers. BA is a class of technologies that analyzes BA: Cloud-Based Behavior Analyzers - Behavioral
behavior for Indicators of Compromise (IoC). analytics is a combination of machine learning, artificial
intelligence, big data and analytics technologies to identify
Examples of some classes of BA products: malicious, stealth behavior by analyzing subtle differences in
• Network (Breach-detection) normal, everyday activities in order to proactively stop cyber
attacks before the attackers have the ability to fully execute
• Host (APT, advanced endpoint) their destructive plans. Cloud based behavior analysis system
• User Identity • Cloud detects zero-day malware Instantly. Cloud-based Analytics in
the cloud vs analytics of the cloud
• Dark-Web Intelligence
Messy myriad of technologies here
Uses threat intelligence to be more accurate
• Cloud access and security brokers
BA is not Data loss prevention (DLP), and DLP is not BA
– but they are close. • Cloud web gateway products
Cloud analysis is extremely difficult and is heavily I. Ten Commandments for Cyber Security Analytics
dependent upon the cloud vendor. Finally we shall conclude the keynote on Cyber Security
F. Dark Web Intelligence analytics with the identification on Ten commandments for
Cyber Security Analytics to be meticulously followed:
Dark-Web Intelligence is an security analytics technique
that actively monitors ―dark web‖ for activities relevant to any 1. Get people, get money, get support
specific business house that include monitoring activities like
2. Master your SIEM
• Phishing attacks
3. Build an Incident Response Plan (IRP)
• PII in the wild
4. Implement a core NGFW
• Threats against the company / executives
5. Implement network-based behavior analyzer capabilities
• Highly specialized service offerings
6. Augment outbound web filtering / proxy
Dark-Web Intelligence is often used for brand protection
and personnel security. 7. Integrate threat intelligence into your SIEM
8. Upgrade or augment endpoint detection capabilities
G. Security Analytics Incident Response Tools
Many of these tools can feed an Incident Response 9. Start storing full-packet captures (consider converged
Program (IRP). Indicators of Compromise (IoCs) are the platform)
evidences that a cyber-attack has indeed taken place. 10. Start hunting for attacks, rather than waiting for alerts
Many products include or offer IoC tracking and case V. CONCLUSION
management. However, None of them can work on a stand
alone basis. Data is extremely valuable in an incident Hackers and Intruders carry out attacks by taking
advantage of either the inability of the organizations in finding
Prerequisites. To carry out such activities we need the indicators of compromises within their environments
• Solid incident response plan / program quickly or the delay occurs in responding to these incidents in
fixing the problem quickly. The three guidelines provided
• Storage of data long enough to actually measure response above will empower the cyber security team to effectively
• Real, live humans looking at the data employ CyberSecurity Analytics to identify and remedy
several security holes.
• Organizational ability to handle such incidents
VI. ACKNOWLEDGMENT
H. SOC (System On Chip) based Cyber Security Analytics I thank profoundly Professor Dr.Krishnan Baskar, Vice
Is SOC (System On Chip) based Cyber Security the Chancellor, Manonmaniam Sundaranar University, Tirunelveli
Future? The next-generation firewall (NGFW) is a part of the for initiating the two Masters Programmes in Cyber Security
third generation of firewall technology, combining a and Data Analytics at our department; I thank with gratitude
traditional firewall with other network device filtering Professor Dr.Rama Subramanaian, Managing Director,
functionalities, such as an application firewall using in-line Valiant Technologies, Chennai and Professor Dr.Madhava
Deep Packet Inspection (DPI), an Intrusion Prevention System Somasundaram of the Department of Criminology and
(IPS) with the following components: Criminal Justice, Manonmaniam sundaranar University,
Tirunelveli for sharing their innovative ideas on Cyber
• IDS/IPS
Security liberally with me. I thank profoundly Professor
• Web filtering Dr.M.Karthikeyan for inviting me to offer this keynote
• Application control address.
• Endpoint AntiVirus
REFERENCES
• Vulnerability management [1] Dave Shackleford, "Using Analytics to Predict Future Attacks and
• Patching Breaches", A SANS Whitepaper, Jan. 2016, SAS
• SIEM (Security information and event management) [2] Thomas A. Runkler, "Data Analytics - Models and Algorithms for
Intelligent Data Analysis", 2nd Edition, © Springer Fachmedien
• Data loss prevention (maybe) Wiesbaden 2016.
In other words, you need a mature security program on [3] David Willson, "Cyber Security Awareness for CEOs and
place. Finally, don’t Purchase Technology if you Can’t invest Management", Syngress is an imprint of Elsevier, 2016 Elsevier Inc..
in People, that is crucial for success. [4] Sandy Bacik, "Building an Effective Information Security Policy
Architecture", CRC Press 2008.