how to tune your cybersecurity radar(2) with security ... · #analyticsx c o p y r ig ht © 201 6,...

#AnalyticsXC o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

How to Tune Your Cybersecurity RADAR2 With Security Analytics

Mark DobeckProfessorCleveland State University

Stu BradleyVice President, Cybersecurity SolutionsSAS

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

200% Increase

in Cost

59% Detected by

3rd Party

$450B Lost

$154 per Record

80.5 Days

Billions of Events

$170B Annual

Spend

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Security Analytics: The Buzz Is Not Enough

Rules/Thresholds

B e h a v i o r a l A n a l y t i c s

Data Visualization

Security Analytics

In-Stream

Machine Learning

Statistical Modeling

In-Memory A n omalous B e havio r

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Analytic Maturity Curve

Search, Query & Response

Predictive Analytics

Behavioral Anomalies

Rules & Signatures

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

What’s Being Overlooked?

Value of Results

Data TimeAnalytic

Approach

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

There is Hope for Security Analytics

• Can provide network visibility

• You should understand impact of scale

• You should investigate data, timing & analytic approaches used

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Cybersecurity Is Strategic Long-term & operational considerations

Expand & elevate CISO/CDO role

Cybersecurity must be adaptive

Technology trends

Artificial intelligence

Machine learning

Behavioral analytics

Predictive analytics

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

RADAR2 Methodology for Cybersecurity

Readiness1

Awareness2

Detection3

Action4

Remediation5

Recovery6

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Readiness Enterprise cybersecurity risk management plan

Planning & preparation

Formal policies & procedures

Documentation

Implementation

Cybersecurity Readiness Team

Testing

Monitoring

1

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Data Governance Compliance

Legal obligations

Regulatory requirements

Fiduciary responsibility

Data is an asset class

1

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Threat Intelligence Internal analysis

External information ISAC (Information Sharing & Analysis Center)

External feeds

Threat intelligence must be: Accessible Intelligible Timely Actionable

Reliable Relevant

1

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Awareness Analytics/cybersecurity culture

Mandatory education & training

Change management plan

Commitment

Communication

2

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Detection Threat recognition & forecasting

Predictive analytic tools

Behavioral analytic tools

Anomalies/suspicious activity

Rapid Response Team notification

3

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Machine Learning Artificial intelligence

Data-intensive

Autonomous learning

Structured & unstructured data

Supervised & unsupervised learning

Automation

3

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Behavioral Analysis Email

Social media

Unauthorized access

Pattern & trend recognition

Anomaly detection

Data leaks

3

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Predictive Analytics Data-driven

Near real-time

Machine learning

Multiple information sources

Internal & external

Improves response capabilities

3

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Action Rapid Response Team assessment

Corrective action determination & damage control

Legal evaluation & review

Initial communications (internal & external)

Investigation (internal & external)

Law enforcement

4

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Remediation Correct problems & issues

Formal enterprise security audit

Update/upgrade vulnerability detection & response technology

5

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Recovery Conduct formal post-mortem (lessons learned)

Revise cybersecurity policies & procedures

Change implementation & testing

Accurate & timely communications

Normal operations

6

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Summary Cybersecurity is strategic

RADAR2 is an ongoing process

Awareness, communication & coordination are key to an effective cybersecurity culture

Security analytics enables data-driven decision-making throughout the cycle

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Q & A

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Speakers:

Stu Bradley

VP, Cybersecurity Solutions

SAS

stu.bradley@sas.com

Mark Dobeck, Ph.D.

Cleveland State University

m.f.dobeck@csuohio.edu

Visit the Innovation Hub to learn about SAS & security analytics

Research briefs on the RADAR2 method available at iianalytics.com

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#AnalyticsX