Sunday, March 6, 2022

How To Efficiently Analyze Cyber Data: A 4 Step Model

 



Let’s face it, in the digital world that we live in today, one of the cornerstones of all businesses in Corporate America is that of data.  Whether its medical data, E-Commerce related data, market research data, etc.  we depend upon the collection and secure storage of it for subsequent uses.  In fact, even the world of Cybersecurity is known to collect tons of data. 

Unfortunately, in our world, much of this data gets overlooked, because our IT Security teams are so inundated with trying to put out the fires on the threat landscape.

For example, unless some sophisticated tool is being used such as SIEM, AI, or ML, it is almost impossible to comb through all of those alerts and warnings, and determine what is for real and what is fake. 

Therefore, you need and your IT Security team need to have some kind of focus as what kind of data needs to be collected, especially in the way in the way of intelligence, so that future threat vectors can be predicted with some accuracy.

So how does one go about doing this?  Here are some quick tips that you could quite possibly make use of:

1) 1)   Establish what really needs collection:

As a CISO or even a vCISO, the first answer that will come to mind is “We need everything”.  So, does this mean even including the proverbial kitchen sink? LOL.  In Cyber, all data is very important.  But since there is so much of it that is coming in on a daily basis, you need to focus in on really what employees need.  For example, if you are threat researcher, you are going to need intel related data.  If you are on the combat team fighting the threat variants, then you will need information about those threats that are inbound, what is coming in the next few days.  Or if you are running a SOC, you will need to have even more global data as to find out what is happening around the world, especially of you have clients and/or offices located in different countries.  This part of the process, which is honing down on what you really need is technically known as “Prioritized Intelligence Requirements”, or “PIR” for short.

2)  2)   Determining the actual sources:

Once you have decided what you are going to focus for either the short or long term, the next step is how you are now going to collect this data.  For example, if you are a threat researcher, you are going to need an exhaustive dataset of past variants and their signatures.  From here, you can then map out the correlations amongst the deadlier ones, and from that, try to project or extrapolate what the future threat variants will look like.  One key you advantage you have here is that the Cyberattacker hardly ever comes up with a totally new, brand-new variant.  There always based on some sort of previous attack vector, and all they are doing is simply building a better mousetrap in order to avoid detection and hide covertly for even longer periods of time.  But however, trying to do this all on your own can be a very time-consuming mind-numbing process.  That’s why you should use either AI or ML.  These tools can do this in just a matter of minutes.

3)   3)  Determine the analysis:

Once you have identified what types and kinds of data need to be collected, as well as their sources, the next thing you need to do is decide how it will be analyzed.  You have two choices, here.  They are the human approach or the automated approach.  With the former, you are going to have to hire more than just person, and this can be a costlier proposition, given the fact that you are going to have to pay them something.  Also, there is the time factor.  While humans are no doubt amongst one of the smartest creatures on the planet, it will still take a lot of time to make any sort of prediction, and humans are also more prone to making errors.  Keep in mind that in the world of Cyber, time is everything.  For example, you will need to know in a matter of hours of what the Cyber threat landscape could like tomorrow.  Thus, the latter choice, which is that of automation, will be best bet here. 

4)   4)  Determine the Call To Action:

Now that you and your IT Security team have analyzed all of the data and have derived logical conclusions from it, the final step in this process is how to take action on it.  In the case of dealing with all of the alerts that are coming in on a minute-by-minute basis, the CTA here would be to procure some sort SIEM based software package, and feed this data into it.  That way, it can very quickly and easily filter through all of the warnings and messages, and only present the real and legitimate ones to the IT Security team.  From here, they can be triaged and escalated in a quick and efficient manner, while reducing the amount of errors that are being made in the process.

My Thoughts On This:

This methodology just reviewed can be seen in the illustration below:

(SOURCE:  https://www.darkreading.com/threat-intelligence/4-simple-steps-to-a-modernized-threat-intelligence-approach).

In this article, I have eluded to quite a bit of using AI and ML tools.  Given just how dynamic the Cyber threat landscape is these days, you are going to have use these tools in order to quickly analyze the data you are getting. 

Although it may sound complex, it really is now.  If you make use of a Cloud based platform such as that of the AWS or Microsoft Azure, the tools are right there for you to literally build an AI or ML machine in just a matter of minutes, for a fixed, monthly price.

But also keep in mind that as you further explore your AI and ML options, the algorithms that you create for them have to be optimized on a regular basis.  If not, they can go stale, and not produce the desired outputs. 

Secondly, you have to make sure that the datasets you are using have been “cleansed” as well.  This simply means that there are no outliers in them, and that they are properly categorized so that your AI or ML machine can easily process them.

If you need help with any of this, there are plenty of AI vendors out there who can help you.  A Google search can reveal this as well.  Or you can also contact me at ravi@ravidas.tech for further assistance.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...