Analytical Security: Data-driven analytics and a new information security paradigm

By John Beeskow, EVP of IT & Security Strategy, CBI

John Beeskow, EVP of IT & Security Strategy, CBI

For information security professionals, the security landscape is evolving in important ways. Today, more organizations are identifying and addressing security concerns, not just through traditional security infrastructure, but also by analyzing and leveraging big data that provides critical insights into where threats might exist and how significant those threats might be.

"To analyze your employee risks, consider applying analytics to internal employee behavior and aligning that data with employee engagement"

This new approach requires both a philosophical and an operational shift. Similar to how organizations are leveraging their operational technology to make better business decisions, security teams can take a page from that book and do the same with the vast quantities of data that Security Operations is collecting.

From a security perspective, this opens up a wealth of new opportunities. Information security professionals need to start thinking about what that data means, and also what the results would be if that data were to get out. Proprietary processes yield substantial competitive advantages, and those processes are largely driven by this operational technology – and the big data/analytics that are going on behind the scenes.

The big change that is taking place in the information security world, however, is that those same analytics are opening up new opportunities to create more robust security solutions. In the same way that some forward-thinking insurance companies are making better risk decisions based on how people are actually driving cars–instead of relying on traditional underwriting protocols– information security professionals are relying less on the tactical/ functional structures and operations of defensive security tools, and more on their ability to leverage analytics and identify anomalies. A firewall is an important tool, but it can be equally important to recognize when unusual or suspicious activity is taking place.

It is not only important to identify deviations from the baseline, but to understand if that deviation represents a threat. What constitutes “normal” activity and what is aberrant? Security professionals should be asking themselves if their team understands what “normal” looks like, and they should be advocating for policies and procedures that provide clarity. For growing numbers of businesses, that means not only monitoring activities, gathering data and logging it into a central database, but also applying powerful analytics tools to that data–and in some cases bringing in experts, engaging in sophisticated predictive modeling and other strategic initiatives.

Keep it safe

At a time when companies have access to exponentially greater amounts of detailed information, protecting that information is more important than ever. While there is much that can be learned from proprietary data, the first priority is to keep the data safe.

Perhaps the simplest way to do that is to work with those who are building these data-gathering and analytics systems and reinforce the message that this data should be treated as highly sensitive information. Make it clear that these are not just bits and bytes–there are real value there. Sometimes just having a conversation and explaining the ramifications of a breach, or explaining what could happen if sensitive information were to get into the hands of a competitor, is enough to ensure that basic safeguards and precautions are observed.

Most companies that are mature enough to be looking at these types of analytics in the first place understand that there is real value there, and recognize that that value needs to be protected as well as leveraged. They understand that they are making a substantial investment in these technologies and processes, and that failing to protect that investment would be a mistake.

Recognize vulnerabilities

Malicious attacks can come from competitors, outside organizations and inside operators. Social media makes it surprisingly easy to identify employees who may be disgruntled and/or a ripe target for manipulation.

But while employees may be a potential weak link, they can also be a source of strength and security. Educated and engaged employees can be an important line of defense. It all starts with culture, specifically the security culture of the organization. In some organizations, it is clear that employees really “get it”, and in others, it is obviously more than a tiresome obligation. The goal is to emphasize information security in a way that inspires employees to view it as an essential part of their job, not an impediment.

To analyze your employee risks, consider applying analytics to internal employee behavior and aligning that data with employee engagement. Evaluating the activities of representatives and comparing them to their peers may reveal worrisome patterns. If so, you can then determine if their activity is fluctuating because of call volume, or because they are engaged in inappropriate processes or looking at sensitive or prohibited information.

Gauge your risk appetite

Before any concrete steps are taken to improve information security, security professionals need to have a frank discussion with executive leadership about risk: what it looks like, and what it would mean if proprietary operational information or sensitive customer data was exposed. Once the impact of a breach is understood, you can evaluate the amount of effort and resources needed to address the issue. If the potential impact is minimal, then the perceived risk level is lower, and a business decision to not over-invest in security may make sense.

Going through the evaluation process to consider the risks and make an informed decision is an important process. Downtime might be a big worry for some businesses, protecting sensitive customer information might be a core concern for others, and others might prioritize securing proprietary data or processes. Assessing risk boils down to the potential financial impact, whether from reputation/brand damage, or from direct costs associated with operational disruption or an outage. Appropriately enough, before these new analytical security strategies and data-driven analyses can be deployed against external threats, businesses first need to turn an analytical eye on their own risk appetite and professional priorities.