Using Analytics to Fight Cyber Crime

Security at our airports is based primarily on looking for known banned items. The premise is that terrorists will be thwarted from being successful with an approach that was either previously successful or nearly successful and fortuitously prevented. That’s pretty much how black listing, also known as Anti-virus software works and in most cases how intrusion detection and prevention systems work.

But staying with this analogy, when travelling out of Israel you find that while they also scan for known threats on your body and in your luggage, Israeli security primarily focuses on analyzing behavior, looking for someone likely to commit a terrorist act. In a way, that is similar to what many customs checks do. Rather than x-raying luggage, they ask a few questions to determine if someone is likely to be bringing in contraband. In effect, they are using behavior algorithms in their analysis.

In much the same way, cyber security is taking on a more holistic analysis to identify threats in addition to looking for specific known threats. More advanced cyber tools look for anomalies, such as a burst of data flow at an unscheduled time or a higher than normal load. It is these out of normal patterns that can help detect an otherwise unknown and undetected threat. While these may cause more false positives initially, with advanced algorithms embedded into analytics software and through better tracking of consistency in behavior, the frequency will decrease rapidly.

To make this work, algorithmic scripts can be created within a firewall or through IDS/IPS devices. The key is knowing what to look for; and that is where cyber security experts, particularly within the industrial process control domain, are extremely valuable. To be fair, this isn’t a new idea. The concept has been around a while. See a 2010 Deloitte publication and this article on a solution IBM proposed for the FAA. Providing a self learning system would make this solution extremely valuable; which is what Google apparently did, as noted in an October 2010 patent application for an adaptive cyber security analytics package.

Waiting for these solutions to become commercially available does not preclude you from taking advantage of analytics based cyber security tactics today. However, the skills to know what to look for; and then knowing how to filter out the noise are not widely available. Some sophisticated cyber security organizations such as Honeywell’s security group do have these skills; so if you are interested, you should talk to your DCS vendor and see if they can help you use algorithm based analytics to prevent cyber crime.