data

How Data and Analytics Can Assist with Cybersecurity

Everyone has data – Here’s how to use it defensively 

In contemporary decision-making, data rules supreme. Big data and data culture are just two indicators in the digital landscape that industries have seen over the past decade. The deep value placed on data, combined with our growing ability to collect and mine massive amounts of it, has catapulted it to vital importance. 

As Josh Horwitz notes, despite data being hailed as “the new oil,” it “must be properly mined to deliver on its promise.” And while the speed and automation of analytics have accelerated in recent years, companies still need people (data scientists among them) to ask the right questions and keep their problems front of mind. Cybersecurity is such a field—a vast amount of data is ready to be queried. 

There are many ways threat actors attack organizations, but the dominant four at the moment, according to this year’s DBIR, are through credentials, phishing, exploiting vulnerabilities, and Botnets. Knowing how to defend against each type of attack is best achieved by relying on a combination of internal and external data. 

Consider these three ways of incorporating data into developing cybersecurity solutions: 

Ongoing Analytics of Security Incidents 

For any system, including cloud, having AI-driven security information and event management (SIEM) solutions is a crucial first step. A tool that detects attacks in real-time and contextualizes them is necessary for an IT team. 

That’s where data comes in. Choosing software that continually learns is key, as there will inevitably be so many security incidents, including false positives, that alert fatigue is quite common. By continually analyzing SIEM alerts, teams can obtain greater clarity into their threat environment and be able to prioritize real threats over false positives. 

Defending from the Inside 

It’s no secret that human error is a huge source of cybersecurity woes. While we usually picture threat actors as seedy groups in dark basements, many internal connections can be security risks to a company, sometimes on purpose but often accidentally, as well. Employees, contractors, and third-party associates can be vectors for risk especially if they have credentialed access to a company network or sensitive information. 

Fortunately, insider threats can also often be noticed and remediated with the help of data and analytics. Often indicators of an attack, like unusual login times, access requests for unauthorized databases, or abnormal email usage, will be present before an attack is successful. With analytic tools, teams can identify these alerts and attend to them before material has been stolen or damaged. 

Compromised Credential Monitoring 

According to the 2022 DBIR, compromised credentials were involved in over 80% of cyber attacks. Again, human error—specifically the habits of creating weak passwords, and reusing passwords across accounts and devices—is often the root cause. Once a set of credentials has been breached in an attack, it’s guaranteed that the password (weak or reused as it may be) will be available almost immediately on the dark web. From there, it’s even more efficient for cybercriminals to use existing credentials to access accounts. 

The appropriate evaluation of data is also the solution here. Instead of ignoring the massive amount of personal data available on the dark web, companies can access it and turn it into a defense tool. Once a list of breached credentials has been obtained, companies can prevent that information from being used in their environment by scanning for them on an ongoing basis. By comparing in-use credentials against a blacklist, IT teams can detect the compromised credentials and then automate remediation strategies (like forcing a user to reset their password).  

Embracing Data with Defense in Mind 

While it may feel like the digital landscape we live in threatens to drown us in data, now is the time to harness it. By approaching data as something that, as Horwitz writes, “can be leveraged to improve security” organizations can stay ahead of threats.