Detecting cybercrime in real-time

Simon Bramble

Wednesday 26 October 2016

According to a recent National Crime Agency report, ‘cyber-enabled fraud’ has now overtaken all other forms of crime in the UK.

The National Crime Agency’s (NCA) Cyber Crime Assessment 2016 found that 36 per cent of all reported crime was ‘cyber-enabled fraud’. A further 17 per cent was attributed to ‘computer misuse’.

While these headline statistics are interesting in themselves, dig a little deeper and an interesting picture emerges. As part of the report, the Office of National Statistics estimates there were 2.46 million cyber incidents throughout 2015. Yet only 716,349 cyber-related incidents were reported, a huge gulf that raises an intriguing question.

How many victims of those cyber incidents are even aware they suffered a security breach?

When there’s ostensibly nothing missing and the absence of a splintered door or broken glass to set alarm bells ringing, it’s hard to know anything untoward happened in the first place.

Growth in frequency and complexity

Despite vast sums being spent on digital defences, the number of businesses affected by information breaches is actually rising.

The UK government’s Information Security Breaches Survey 2015 found that nearly three-quarters (74 per cent) of small and medium-sized enterprises (SMEs) had suffered a data breach in 2015, up on the numbers recorded in 2013 and 2014. Among large businesses with considerably higher digital security budgets and know-how, the figure was 90 per cent.

It’s wise to assume your business is going to suffer a security breach. Whether it’s an employee loading sensitive information onto a memory stick and misplacing it, malware gaining access to documents or social engineering techniques (increasingly commonplace in the UK) leading to people unwittingly giving out personal details, it’s crucial to be able to detect a breach as soon as possible. Or better, as it happens.

The growing complexity of cybersecurity threats makes real-time detection essential. Data analysis of an entire operating network is a proactive defence. Log-ins, incident reports and system alarms are cross-checked with external information for an in-depth picture of what’s happening with your data at any given time.

Get the whole picture

Big data analytics can counter fast-moving cyberattackers. By integrating data loss monitoring and alert systems with the rest of your network, you remove the walls that could slow down access to information, reducing the time it takes to identify and rebuff an attack.

Often today’s cybercriminals are much swifter in their attempts to gain unauthorised entry to a network, forgoing any lengthy period of espionage – ironically because anti-theft measures have improved so much.

Big data comes into its own by letting you analyse the typical behaviour of your whole network, identify false-positive events and cut through the background, everyday noise of secure data transactions.

However, many major security breaches don’t happen as a single big bang. There could be an initial intrusion, followed days or weeks later by some sort of leak or compromise. The gap between stages could mean each prong of a single, drawn-out attack is instead treated as an isolated incident.

A network free of information silos can be analysed holistically, and ‘look-backs’ used by analytics applications spot potential links between intrusions.

But while data analytics has the potential to vastly reduce the time it takes to recognise an attack and even predict future attacks, it’s useless if people are unable to understand what the data is telling them.

Eric Ahlm, research director at Gartner, cautioned in a 2015 report that, “How actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time. Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualisation of that data will greatly affect adoption of the technology.”

Built-in security

Continuous monitoring systems will keep a watchful eye network-side. But what about your employees’ devices? Lenovo’s Ideapad Miix 700 Business Edition offers the flexibility of a premium tablet and the security of a hard-wired desktop, the latter thanks to something called a Trusted Program Module (TPM).

Lenovo’s Tikiri Wanduragala explains, “These basically perform a check on the microcode that is executing on the server; they are actually embedded onto the motherboard.

“What this means is that every piece of code, when the microcode is updated, is checked to make sure it is the right piece of code running on the right machine. All in real-time, by the way.

“TPMs play an important role because some of the backdoor entries into retail systems – that we’ve all be reading about in the news – have happened via the microcode; the microcode is trusted, so if the bad guys can get in there, they’re in as trusted users… and at that point it’s game over.”

Effective network security is a multi-layered process, requiring investment in employee education and training, anti-phishing and ransomware defences, and a host of other measures. But if you were to prioritise, getting a clear picture of your overall network as soon as a breach occurs would be near the top of a lengthy list, along with devices that can authenticate themselves.


Building the next-gen data centre

Where traditional and web-scale apps co-exist