from 13.40 to 14:20
Cybersecurity has become a top priority in large organizations. Top management is now aware of the fact that a security incident can cause a huge impact to business.
On the other hand, cyber-attacks are becoming sophisticated and stealthy. The good old days in which deploying enterprise antivirus software and perimeter defenses like firewalls was enough to defeat intrusions are gone.
Today, attacks are targeted, persistent and unique.
For that reason, organizations are setting up Security Operations Centers, which deliver 24x7 real-time security monitoring based on a continuous flow of millions of security-related events coming from multiple sources.
While real-time inspection bring multiple benefits because it allows to respond to attacks as they happen, putting the focus on such a small time window leaves many sophisticated attacks go unnoticed.
The Case Study described in this talk explains how an organization of the food industry with 300k+ employees, present in 100+ countries, is managing to add one extra layer of security based on big data analytics capabilities, and provide net-new value to their ongoing SOC-based investment. With billions of events being generated on a weekly basis, real-time monitoring requires support from big data approaches to proactively ‘hunt’ targeted and advanced attacks.
By leveraging a cloud-based Hadoop solution, R and PowerBI, a threat detection approach based on proactive hunting and anomaly detection is being progressively implemented.
Anomalies are spotted by applying well-known analytics techniques, from data transformation and mining to segmentation, regression, classification, dimensionality reduction, and hypothesis testing. As an example, of many others that will be presented in the talk, malware-based attacks are being brought to the surface as analytics shows that compromised workstations behave in a different way in terms of connection timeframes, proportion of accesses to sites hosted in certain countries, volume of connections, connections to new systems never contacted before, and other variables.
As the project runs, it progressively becomes clear that, given that most systems are not compromised and most network traffic is legitimate, malicious activity can be isolated if the right features are selected and appropriate algorithms are applied.
The key challenge of the project is still scope creep. The right data model, data processing routines and consumption model were anything but obvious at the beginning. However, the next frontier is moving away from a big data playground, with ever-changing scope and endless possibilities, to an integrated solution that can consistently deliver business value.
The ultimate goal of this talk is to shed light on the advantages and challenges (regardless of the technology chosen) of big data analytics approaches to play a relevant role in the complex field of cybersecurity in the enterprise world, and gather useful feedback from the community.