A sophisticated hacking group recently attacked a public utility in the US and compromised its control system network. There has been a steep increase in such incidents globally, shifting the focus towards preventive mechanisms. Automation and pattern analysis are increasingly being used to counteract evolving threats. Statistics related to breaches in Critical Infrastructure bring out two important aspects.
- 84% of the breaches are targeted to cause disruption and exploit Zero Day vulnerabilities, creating the need for predictive analytics and APT protection
- 66% of attacks are state sponsored and go un-detected for months creating the need for Security Analytics and Intelligence to detect and respond to the threat actions
A security analytics and intelligence platform can help identify potential triggers, predict patterns of threat actions and allow introduction of efficient preventive measures. However, this platform may not be effective if your IT infrastructure is scattered, filled with siloes of processes, tools and technologies and unclassified assets. My first advice towards building this platform is “Keep it simple”. As a step #1 towards building this platform, it is imperative to understand the IT infrastructure and security landscape and also define the boundaries of security. The boundaries can be defined by categorically classifying the assets based on availability, integrity and confidentiality controls.
Coming back to the platform, I visualize one that integrates social, mobile and analytics and which can be implemented by adopting any of these multiple approaches: big data approach, a unified approach, a governance layer that binds Security Analytics to the business or threat intelligence. Four aspects are involved in this:
- Collecting data from various sources: security operations, management platforms, control center operations of grids etc., including MS transactions, emails, documents, social media, and business process data; and creating threat and vulnerability patterns
- Creating correlation rules: to identify anomalies based on past trends of threat actions, industry trends and evolution of adversary industry
- Introduction of appropriate security controls: to predict, prevent, detect and respond to incidents
- Creation of a transaction database: to provide clear audit footprints to conduct forensic analysis, Root Cause Analysis and Continuous Improvement Process.
In an ICS/SCADA network, this platform operates differently which actually requires capturing of logs and entries from all layers of ICS which includes IP and non IP devices, Control Systems, PLCs, RTUs, and Field devices. Creating correlation rules for real time analysis and action becomes the key success criteria of this platform. Some use-cases may be related easily with a few examples mentioned here:
- Detecting surges on the grid and correlating this to Work Orders and other transactional logs from Office and Operations Domain
- Identifying rogue services which get created during regular operational tasks such as device patching
- Deletion of records in the Business systems related to oil exploration during regular operational procedures
Security Analytics & Intelligence platform can help in identifying and evaluating threats, qualifying threat vectors, assessing the success probability of a threat action and providing security posture information.
The Security Analytics market today is miniscule today (Gartner cannot estimate the size of the Security Analytics market because apparently there is no market to report!). However, I see that Industry is opening up to adopt Preventive and Predictive mechanisms through Security Analytics & Intelligence with specific focus on streamlining the underlying security infrastructure. This trend is bound to drive business initiatives such as mergers & acquisitions and global expansions.
What are your views on the need for a Security Analytics & Intelligence platform?