Data Analytics for Cyber Security PDF - Oct 2024

Data analytics for Cyber Security Chapter One and introduction Senait Desalegn And introduction School of Information Technology and Engineering Addis Ababa Institute of Technology Addis Ababa University Oct 2024 Course Introduction Know Each Other Name What do you get from cyber security course What do you expect from this course? 3 Course content Chapter One: Introduction Chapter Two: understanding sources of cyber security data Chapter Three: Introduction to data mining Chapter Four: Big data analytics and its need for cyber security Chapter Five: Anomaly detection methods for cyber security Chapter Six: Cyber security through Time series and spatial data Chapter Seven: cyber security through network and graph data Chapter Eight: human centered data analytics for cyber security Chapter Nine:. Future directions in data analytics for cyber security What is Cybersecurity? Assets Affected Personal assets Public assets Corporate assets at risk Motivation, Risks and Security Why do we have security risks? Outline What is the level of damage that can occur? Handling Cyber Attacks Sub areas of Cybersecurity Data Analytics Why Data Analytics is important for cybersecurity: A case study of understanding the anatomy of an attack 5 16/10/2024 Data Analytics for Cyber security, 2024. What is Cybersecurity? Cybersecurity refers to securing valuable electronic assets and physical assets, which have electronic access, against unauthorized access. These assets may include personal devices, networked devices, information assets, and infrastructural assets, among others. Cybersecurity deals with security against threats also referred to as cyber threats or cyberattacks. Cyberattacks are the mechanism by which security is breached to gain access to assets of value. 10/2/2022 6 Data Analytics for Cyber security. Aims of Cybersecurity: prevent, detect, and respond to threats Prevention of cyberattacks against critical assets Detection of threats Respond to threats in the event that they penetrate access to critical assets Recover and restore the normal state of the system in the event that an attack is successful 10/2/2022 7 Data Analytics for Cyber security. Assets Affected Personal Public Corporate Phones (home and mobile), Smart meters, Customer database, Tablets , Power grid, Websites, Personal computers Sewage controls, Business applications, (desktop and laptops), Nuclear power plant, Business network, External physical hard Rail lines, Emails, drive, Airplanes and air traffic, Off the shelf software, Cloud drive, Traffic lights, Intellectual property Email accounts, Citizen databases, Fitness trackers, Websites (county, state Smart watches, and federal), Smart glasses, Space travel programs Media devices (TIVO, Satellites apple TV, cable box), Bank accounts, Credit cards, Personal gaming 10/2/2022 8 systems Data Analytics for Cyber security Motivation behind Cyber Threats 1 2 3 4 5 Stealing intellectual Gaining access to Making a political Performing cyber Damaging reputation, property customer data statement espionage Making a splash/ for fun, Impedeing access to data and applications 10/2/2022 9 Data Analytics for Cyber security. Why do we have security risks? Organizational risks (multiple partners, such as Applications with several Logical errors in software in cyber-attacks at Target dependencies, code (such as Heartbleed), and the Pacific Northwest National Laboratories [PNNL]), Lack of user awareness of Personality traits of Inherent issues in the cybersecurity risks (such as individuals using the Internet protocol being in social engineering and systems (phishing), and used. phishing), 10/2/2022 10 Data Analytics for Cyber security Summary of Motivation, Risks and Security Motivation Risks To steal Intellectual property Internet protocol which is inherently not secure To damage reputation Applications with several dependencies Gain access to data , which can then be sold Logical errors in software code (ex. Heartbleed) Gain access to information, which is not Organizational risks (multiple partners ex. Target, generally available PNNL) To make a political statement Lack of User awareness of cybersecurity risks (ex. To impede access to critical data and Social engineering, phishing) applications Personality traits of individuals using the systems To make a splash/ for fun Attaining Security Protecting resources Hardening defenses Capturing data logs Monitoring systems Tracing the attacks Predicting risks Predicting attacks Identifying vulnerabilities 8 Data Analytics for Cyber security According to a McAfee report, the monetary loss resulting from cybercrime costs about $600 billion, which that is about 0.8% of the world Gross Domestic Product (GDP) (McAfee–-Cybercrime Impact What is the 2018), with malicious actors becoming more and more sophisticated. The loss due to cyber-attacks is not simply based on direct financial level of loss but also based on several indirect factors, which that may lead to a major financial impact. damage that Example: Target cyber-attack (RSkariachan and Finkleeuters-Target 2014) can occur? Target reported $61 million in expenses related to the cyber- attack out of which $44 million were covered by insurance. The direct financial impact to Target was $17 million. A 46 % drop in net profit in the holiday quarter, 5.5% drop in transactions during the quarter, share price fluctuations led to further losses, cards had to be reissued for to several customers, and Target had to offer identity protection to affected customers. All these losses amount to much more than the total $61 million loss. In addition, the trust of the customers was lost, which is not a quantifiable loss and has long-term impacts. 10/2/2022 12 Protecting resources, Hardening defenses, Capturing data logs, Handling Monitoring systems, Tracing the attacks, Cyber Attacks Predicting risks, Predicting attacks, and Identifying vulnerabilities 13 Overall Areas of Cybersecurity Network Security Cyberphysical Security Data and Information Security Application Security Data Analytics for Cyber security 11 Sub areas of Cybersecurity Application security: incorporating security Data and information security: securing Network security: securing the traditional in the software development process. data from the risk of unauthorized access computer networks and security measures and misuse adopted to secure, prevent unauthorized access and misuse of either the public or the private network. 15 Emerging challenges due to the coupling of the cyber systems with the physical systems. The power plants being controlled by a cyber system, Sub areas of risk of disruption of the cyber component or Cybersecurity risk of unauthorized control of the cyber system, gaining unauthorized control of the physical systems. Cyber physical security 10/2/2022 16 Cross cutting across areas to learn from existing threats and develop solutions for novel and unknown threats towards networks, infrastructure, data, and information Sub areas of Example: Threat hunting proactively looks for Cybersecurity malicious players across the myriad data sources in an organization Does not necessarily have to be a completely machine-driven process and should account for user behaviors Must look at the operational context. Provide security analysts a much focused field of vision to security analysts to zero in on Data analytics solutions for potential threats 17 Multiple types of networks and devices computer networks, Cyber Physical Systems (CPS), Internet of Things (IoT), sensor networks, smart grids, and wired or wireless networks. Hardware Computer networks - Traditional type of networks Groups of computers are connected in pre-specified and Network configurations. These configurations can be designed using security policy deciding who has access to what areas of Landscape networks. Another way networks form is by determining patterns of use over a period of time. In both cases, zones can be created for access and connectivity where each computer in the network and sub-networks can be monitored. Cyber Physical Systems - an amalgamation of two interacting sub- systems, cyber and physical used to monitor and perform the day- to- day functions of the many automated systems that we rely on, including power stations, chemical factories, and nuclear power plants, to name a few. Ubiquitous connected technology - “smart” things - Internet of Things 10/2/2022 Data analytics deals with analyzing large amounts of data from disparate sources to discover actionable information leading to gains for an organization. Includes techniques from data mining, statistics, and business management, among other fields. Big data Data Massive datasets (volume) Analytics Generated at a rapid rate (velocity) Heterogeneous nature (variety) Can provide valid findings or patterns in this complex environment (veracity) Changing by location (venue) Every device, action, transaction, and event generates data. Cyber threats leave a series of such data pieces in different environments and domains. Sifting through these data can lead to novel insight not why a certain event occurred and potentially allow the identification of the responsible parties and lead to knowledge for preventing such attacks in the future. 19 Anatomy of an attack 17 vulnerability in one of the lab's public-facing web servers PCs of site visitors Drive by attack (lab employees) Compromised Workstations PNNL's network scouting from the compromised workstations for weeks Shared Network resources Spear Phishing attack Business Partners root domain controller compromised Obtained a privileged account recreate and elevate Raise alert account privileges 18 The three aspects are temporal, spatial, and data -driven understanding of human behavioral aspects (particularly of attackers) Why Data Analytics Firstly, computer networks evolve over time, and communication is important for patterns change over time. Can we identify these key changes, which cybersecurity: A deviateare deviant from the normal changes in a communication pattern, and associate them with anomalies in the network traffic? case study of Secondly, attacks may have a spatial pattern. Sources and destinations understanding the in certain key geo locations are more important for monitoring and anatomy of an preventing an attack. Can key geo locations, which are sources or attack destinations of attacks, be identified? Thirdly, any type of an attack has common underpinnings of how it is carried out; this has not changed from physical security breaches to computer security breaches. Can this knowledge be leveraged to identify anomalies in the data where we can see certain patterns of misuse? Utilizing the temporal, spatial, and human behavioral aspects of learning new knowledge from the vast amount of cyber data can lead to new insights of understanding the challenges faced in this important domain of cybersecurity 19 Multi-dimensional view of  Events become relevant when they occur Threats together These events become relevant with proximities rather than causation  The two items are in close Proximity, based on Source Proximity Spatial Distance Destination Proximity Temporal proximity or Delay N1 N12 N2 N8 N5 N4 N3 N6 N4 N9 N10 N11 N3 0 4 8 12 16 Time Goal : to identify potential “collusions” among the entities responsible for these two events 20 Looking at one dimension of the data is not enough in such prolonged attack scenarios. Why Data Analytics is For such a multipronged important for attacks, we need a multilevel cybersecurity: A case framework study of Brings together data from several different understanding the databases. anatomy of an attack Events of interest can be identified using a combination of factors such as proximity of events in time, in terms of series of communications and even in terms of the geographic origin or destination of the communication. 10/2/2022 24 Intruder Detection System (IDS) logs such as Understanding SNORT A keyword matrix and a word frequency matrix the Anatomy Perform alarm clustering and alarm data fusion of an attack: Identify critical alerts (a combination of log entries) Clustering Perform clustering based on a combination of based on features feature combinations 25 Understandin Extract associations to identify potentially g the repeated or targeted communications Utilize network mapping Anatomy of Determine attacks consistently targeted to specific an attack: types of machines or individuals Collusions and associations 10/2/2022 26 Time intervals accounts for time proximity Understanding Allows mining the data in proximity of time Evaluating how the networks evolve over time the Anatomy Identify which time interval may be critical: for of an attack: example, Identify repeated events of interest in certain time periods Time Clustering in different segments of time Mining for possible attack paths based on variations in proximity and cluster content and cluster cohesion network evolution 27 How Can DataAnalytics Help? Data from multiple sources can be used Supports the defense to glean novel Tracing Attacks, Predicting risks of cyber systems information Identifying critical predicting attacks Identifying Understanding user systems in a network based on prior or vulnerabilities by behavior by mining flow, similar attacks, mining software code, network logs, and Creating robust access control rules by evaluating prior usage and security policies. 1/2/2022 28 Focus of this Course What this course is not about: This course does not address the traditional views of security configurations and shoring up the defenses, including, setting up computer networks, setting up firewalls, web server management, and patching of vulnerabilities. What this course is about: This course addresses the challenges in cybersecurity that data analytics can help address, including analytics for threat hunting or threat detection, discovering knowledge for attack prevention or mitigation, discovering knowledge about vulnerabilities, and performing retrospective and prospective analysis for understanding the mechanics of attacks to help prevent for preventing them in the future. 10/2/2022 29 Thank you! 10/2/2022 30

Data Analytics for Cyber Security PDF - Oct 2024

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue