How any organisation can use big data to catch cybercriminals
By Stuart Clarke, CTO Cyber Solutions at Nuix
Recent reports show cyberattacks are becoming more and more frequent and costly, especially among smaller businesses. Criminals have become more organised in gaining access to sensitive information by using techniques including phishing emails, man-in-the-middle attacks and malware.
The recently approved European Union General Data Protection Regulation (GDPR) will make it mandatory to report data breaches that involve the private data of EU citizens – usually within 72 hours. This is easier said than done.
Where is your data?
A recent survey of security executives, sponsored by Nuix, found that 96% of organisations recognise the importance of personally identifiable information, payment card information and intellectual property. However, nearly one-third (31%) of respondents could not say where this critical value data lay across the enterprise, who had access to it or what people did with it after they accessed it.
This poses a serious challenge for data breach investigations. One of the main reasons organisations take so long to detect and remediate breaches is they don’t know where their high-value or high-risk data is stored, so they can’t target those systems for investigation.
In part, this is due to the fact that at least 80% of organisational data is unstructured –it’s in complex formats such as emails, photos, documents and presentations that are difficult to search and understand. There is also much more of it – data volumes double about every two years. This rapid growth, teamed with an increasing number of storage devices, cloud technologies and ‘bring your own device’ policies, are all increasing opportunities for data leaks.
If investigators cannot say with any certainty where the stolen or leaked data came from, they will have a much harder time identifying the cause of the breach, effectively and accurately communicating its impact and defending the organisation against the next attack.
Identify and protect your ‘crown jewels’
The first step in protecting an organisation’s information ‘crown jewels’ is identifying and agreeing on which data is critical to the business and therefore worth giving the highest protection. Data with intrinsic monetary value, such as customers’ personal information, is relatively easy to identify. But critical value data can include other types of information which may not be immediately obvious; executive email on sensitive topics, valuable operational data and proprietary pricing models are just three examples.
The next challenge is finding out where his critical value data is stored. Reviewing an organisation’s business processes and network architecture will often reveal critical value data stored in less obvious places. This may include staff members’ “bring your own” laptops and other unmanaged locations.
The final important factor to determine is who has access to the critical value data. The IT systems that make it convenient to share and access data can also present vulnerabilities. Understanding the organisation’s business processes can point to who has access to the information. This feeds into making conscious decisions on who should keep that access.
Find the needle in a stack of needles
Every information management discipline – including cybersecurity, eDiscovery and information governance – is grappling with how best to manage masses of varied data. To deal with continued data growth and the financial and organisational pressures they face when investigating cybercrimes, data breach investigators have no choice but to embrace new methods.
As data volumes grow, investigators must trawl through ever-increasing numbers of search results to find the information they seek. Traditional digital investigation tools present this information in seemingly interminable lists and tables. These quickly become too much for the human mind to process with any real meaning. However, new technologies provide a much easier way for investigators to understand large quantities of information.
By presenting data in a visual way, advanced investigative tools enable cybersecurity investigators to analyse all evidence at once. New technologies visually analyse, map, and categorise items of interest such as internet histories, device access records, communication activities, notable operating system events and new files.
For example, rather than looking at a large list of communication records extracted from mobile phones and desktop computers, investigators can display this information as a visual network. At a glance, they can see who the primary communicators are, whom they spoke to, and how often.
Investigators can also can use IP addresses or embedded metadata to locate geographical coordinates and plot maps which enable them to understand the movements of a suspect and their contacts.
Data visualisation techniques enable investigators to discard irrelevant or redundant information and quickly highlight and focus in on anomalies they have discovered. They can also expose information the organisation didn’t previously know about and can find links between data sources they may otherwise have missed, identifying previously unseen patterns and trends in the data.
Once investigators have exposed an item of interest, they can pull on that thread and see where it leads – what other data it is linked to, what new findings it will help uncover, and what new intelligence it will reveal. They can use these visualisations to establish key players, their locations, and their involvement in a matter of interest.
When the GDPR comes into effect next year, all organisations that operate in the EU, or deal with its citizens, will need the ability to carry out timely investigations over large volumes of data. By using big data analytics techniques, they can quickly uncover and act on the key facts, events and identities hidden among masses of digital evidence.