Cybersecurity Data Science: Adopting a Medical Paradigm

An Uncomfortable Status Quo

This month, barely eight weeks from the WannaCry ransomware outbreak, yet another destructive worm attack has disabled systems and compromised data globally: PetrWrap (AKA NotPetya, Nyetya, or GoldenEye). Beleaguered cybersecurity professionals have responded yet again with a flurry of patches and guidance to plug the holes.

Based on trending events, there is a sense that increasingly aggressive cyberattacks appear to be a crushing inevitability. Sophisticated attack methods, tools, and actors evolve in lock-step, driven by the growing economic and political incentives associated with compromising highly-interconnected critical infrastructures. The deep and dark webs have provided threat actors with a powerful mechanism to collaborate anonymously to stage coordinated attacks and to share powerful tools and techniques.

Persistent Unknown-Unknowns…

Cyber attackers exploit a prolifically interconnected world to infiltrate increasingly complex digital infrastructures. While the networked age has demonstrably created new opportunities for interaction and commerce, it has also increased the scope and scale of systemic vulnerabilities. Cybersecurity professionals struggle to manage unknown-unknowns, complex, emerging attacks taking advantage of unseen vulnerabilities amongst massively interconnected systems.

Cybersecurity efforts have been wrongfooted to the degree that attack surfaces have proliferated well beyond the capacity of traditional monitoring and prevention measures to adequately safeguard. The typical Information Security department is drowning in false alerts and threat indicators.

Reclaiming the Initiative: Data Science

To stay a step ahead, cybersecurity professionals need to be reclaim the initiative. Data science has been viewed as a great hope in this domain: the application of advanced data analytics methods to big and fast data to focus and automate threat detection and prevention. Data science offers powerful tools and methods for identifying hidden patterns in interconnected networks and for leveraging those insights to detect and predict attacks.

The increasing interest in data science in the cybersecurity domain has led to a proliferation of powerful tools and methods. The new tools increase the ease of conducting sophisticated data analysis. However, in the enthusiasm to apply data science to cybersecurity challenges, there is a risk of taking a shotgun approach: throwing data at analytics tools and leaping at any hints of random patterns that emerge.

Is Cyberwarfare an Effective Paradigm?

Data science promises great hope in bolstering cybersecurity by focusing the ability to rapidly detect and prevent incursions. But for such techniques to be efficacious, the right methods need to be applied in the right places at the right time. Currently, the dominant paradigm in cybersecurity is overtly militaristic, focusing on kill chains, advanced persistent threats, and shadowy threat actors. However, the methods which result mirror those of asymmetric warfare: highly brittle, heavy handed, resource intensive, and reactionary. Such approaches risk missing the forest for the trees, attempting to raise battlements and moats whereas the disease is already likely within the walls of the keep.

Cybersecurity in the Medical Paradigm

To respond in a targeted manner, data science must adopt new paradigms which suggest fresh methods and practices. It is advocated that the current reality of cybersecurity challenges suggests that domains associated with biology and medicine, rather than military command and control, better address the challenges at hand.

The most efficacious data science methodologies in the cybersecurity domain are associated with public health and medical diagnostics rather than counter-terrorism and border control. Attacks and incursions on digital infrastructure must to be viewed as opportunistic infections and diseases, near constant threats that attach-to and proliferate along promiscuously connected organic vectors.

If data science offers hope in addressing mounting global cybersecurity challenges, it is as a guardian of public health – capable of highly targeted, mutable detection and adaptive protection. This presumes the ability to detect variations in known ‘biological’ threats which threaten individual devices and sensors. As well, a hypervisory capability is assumed: super-systemic monitoring capabilities able to rapidly deduce incidents from early warnings of malfunction and stress in the organic fabric that composes digital infrastructure, much as tissue irritation provokes a targeted immune response.

Lessons from Medical Statistics

Medical statistics offers us epidemiology, a discipline dating back to the mid-19th century, as a mature set of statistical techniques for diagnosis and analysis. For instance, applied graph analytics helps to identify at-risk agents and transmission vectors, as well as to focus targeted prophylactic measures. Additionally, quantifying relative risk and interactions allow cybersecurity professionals to proactively prepare for threats and to counter incursions rapidly.

Beyond this, the field of clinical trials provides a clearly defined set of best practices for studying and explaining cybersecurity threats to digital infrastructure in a controlled experimental laboratory setting. A proper ‘clinical trial’ on a class of malware infection supplies a detailed explanation of the ‘disease’ behavior and results in indications of proper ‘vaccine’ safeguards to prevent infections and incursions. The implication is that an effective approach to cybersecurity includes establishing a controlled laboratory to study the action of focused threats, via both direct observation and simulation, and to test and develop effective medicinal countermeasures.

Catalyzing Cyber Responsiveness

A proactive approach to cybersecurity begins with shifting our paradigm, which leads the adoption of evidence-based best practices. To the degree digital infrastructure increasingly has more-than-passing similarities to biological and organic phenomenon, medical statistics and diagnostics, both epidemiological (public health and disease control-focused) and clinical-based (explanatory and medicinal treatment-focused), offer rich sets of worked-out analytical approaches to the growing challenge of safeguarding digital infrastructures in all their evolving richness.

, , , , , , , ,

About SARK7

Scott Allen Mongeau (SARK7) is an INFORMS Certified Analytics Professional (CAP) and a Data Scientist in the Cybersecurity business unit at SAS Institute. Scott has over 20 years of experience in project-focused analytics functions in a range of industries, including IT, biotech, pharma, materials, insurance, law enforcement, financial services, and start-ups. Scott is a part-time PhD (ABD) researcher at Nyenrode Business University. He holds a Global Executive MBA (OneMBA) and Masters in Financial Management from Erasmus Rotterdam School of Management (RSM). He has a Certificate in Finance from University of California at Berkeley Extension, a MA in Communication from the University of Texas at Austin, and a Graduate Degree (GD) in Applied Information Systems Management from the Royal Melbourne Institute of Technology (RMIT). He holds a BPhil from Miami University of Ohio. Having lived and worked in a number of countries, Scott is a dual American (native) and Dutch citizen. He may be contacted at: webmaster@sark7.com All posts are copyright © 2015 SARK7 All external materials utilized imply no ownership rights and are presented purely for educational purposes.

View all posts by SARK7

Subscribe

Subscribe to our RSS feed and social profiles to receive updates.

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: