Saryu Nayyar | cisomag.eccouncil.org »
Rather than a single binary login, data science offers the opportunity to monitor activity on an ongoing basis, as it occurs.
Back when security threats were relatively unsophisticated, understanding threats was easier. Attackers often gained access by generating or guessing passwords. Passwords were drilled into both IT professionals and users as the front line of defense, and users had password creation and usage rules beat into them. Unfortunately, users often had passwords that were easy to crack, or they were difficult to crack but hard to remember, and written down instead.
Passwords were what we had, and almost universally used, but they leave a lot to be desired. Fortunately, attacks years ago were pretty basic. Over the last several years, that has changed as attacks have become more subtle and pervasive. Passwords are increasingly being overwhelmed by attack techniques that didn’t exist when passwords gained broad acceptance.
Data Science Can Replace Passwords for Authentication
Data science and analytics are changing that equation, though. Rather than a single binary login, data science offers the opportunity to monitor activity on an ongoing basis, as it occurs. What does this buy the enterprise looking for a better cybersecurity strategy?
It seems odd that an analytical approach can make a real difference in enterprise cybersecurity, but it’s a very real trend. Here’s how it works. The data, which is produced and stored in system, network, and application log files, represents the steady-state of the environment; in other words, normal people do normal things to do their jobs. With the most sophisticated data science tools, algorithms can even learn how to recognize and distinguish between common activities and other activities that may have an indication of an attack.
The log files of events are examined by algorithms in real-time, and evaluated as normal activity or potentially suspicious. If an activity is identified as potentially suspicious, it can be investigated further, either by other software or by security professionals.
How is an activity potentially suspicious? Data science uses classical statistical techniques to determine this. It classifies activities and evaluates them based on what they do and how frequently they occur. If some of the activities are unlikely to occur based on statistical results, that might be indicative of an outlier that is an attack.
Data science can also use machine learning models. These models might fit data in the form of adjustable algorithms, in effect learning what is normal or not by watching the data over time. The model-based approach tends to be much more effective, in that it customizes its algorithms for that particular enterprise.
Leading to Continuous Authentication
Using data science and analytics opens up the opportunity to employ continuous authentication rather than being dependent on user actions. Continuous authentication is a difficult concept for many security professionals to get their minds around. There isn’t necessarily a single login that provides users with all of their privileges. Instead, every event is checked against the algorithms and evaluated both singly and as a group to determine if it is a normal activity.
Can data science eliminate the need for a one-time authentication such as passwords? Much of the security industry is already moving in that direction, understanding the difficulties and limitations of passwords. How does continuous authentication work?
To effectively use data science as a more reliable method of authentication, it’s critical to be able to examine and make decisions on individuals and groups of events in real-time. It’s not possible to wait until the end of the day to identify a potential attack.
So what data science does is continuously examine all logged activities, with more sophisticated models doing a bit more than that. Model-based analysis refines this approach to focus on narrowing down the false positives to identify true attacks. If the sequence of activities is something that a user would normally do, then he or she is allowed to do it. If it is unusual or clearly an attack, an automated system or IT will intervene.
Continuous Authentication and Changing Mindsets
The mindsets and expectations of both security professionals and users will have to change dramatically in order for data science to be successful in cybersecurity. Security professionals have to become used to users not physically logging into their systems, the network, or individual application. Instead, they have to trust that the analytics can more accurately authenticate on an ongoing basis, rather than relying on a password.
And users have to accept that the lack of a traditional login function doesn’t mean that they are free to do anything they want. They are being observed constantly, and it doesn’t make sense to try to access areas for which they don’t have authorization.
But mindsets will adjust rapidly, and data science just has too many advantages over passwords to ignore. Count on a rapid sea of change to data science and analytics to offer enterprises better cybersecurity with less effort.