Security Analytics

Security Analytics - A Marriage between Big Data Analytics and Cybersecurity

“Big Data” refers to the high volume, velocity, and varieties of information assets that demand cost-effective, innovative and reliable forms of information processing for enhanced insight and decision-making. Computing frameworks such as Hadoop allows us to generate value out of Big Data.
 
“Cybersecurity” is the body of techniques, processes and methodologies to protect networks, computers, programs, and data from malicious attacks and damages, or unauthorized access.

Why do we need big data for cybersecurity?
  • Businesses/organizations are facing unprecedented security risks introduced by phenomena such as consumerization of IT. Network boundaries are dissolving fast and more vulnerabilities emerge.
  • Cyber attacks evolve fast and they become more and more skilled, sophisticated, and persistent, which makes it more difficult to detect and deter them.
  • Traditional signature-based approaches are no longer sufficient and effective.

The rapid development in the big data paradigm allows us to capture, store, and analyze huge amount of data generated in the cyber world. Big data can fuel intelligence driven security by doing the following:

  • Assess risks
  • Detect illicit activities and advanced cyber threats
  • Allow advanced predictive capabilities
  • Serve cyber incident response & investigation services
  • Deliver compliance
What types of “big data” we use for security informatics?
Data Possible Data Source Possible Intelligence to Derive
Network and host traffic data SIEM, network monitoring, and application monitoring Are there traffic anomalies to/from these servers?
Web transaction data Authentication data, transaction monitoring, application logs, SQL server logs, network session data Has suspicious activity been observed in sensitive/high value applications and assets?
Infrastructure data IT assets, configuration management, vulnerability management
  • Has the server been manipulated?
  • Is the server vulnerable?
  • Has its configuration changed recently?
  • Is it compliant with policy?
Identity/credential data Authentication data, server logs, asset management, SIEM, network monitoring
  • Which users are logged in?
  • Have their privileges been escalated?
  • wwwWhat other assets did these users touch?
How to design and adopt a security analytics solution?
  • Develop security analytics business strategy
  • Participate in analytics trainings and workshops
  • Implement a centralized data management infrastructure
  • Implement an analytics platform
  • Hire data scientist as consultants
  • Implement a “Network Monitoring” layer
  • Implement a “Suspicion Alert” layer
  • Streamline analytics with current workflow

Dr. Wei Wei
Associate Director of Research & Education
Cyber Security Institute
College of Science and Engineering
University of Houston - Clear Lake
Email: Wei@uhcl.edu 

 

Contact
  • Cyber Security Institute

    Phone: 281-283-3808
    Email: csi@uhcl.edu

    Delta Building, 147
    2700 Bay Area Blvd, Box 40
    Houston, TX 77058-1002