Introduction Can using cyber analytics help you stay ahead of cybercrime? In an increasingly online world, securing an organization’s digital assets is a key business concern. Cybersecurity is no longer regarded as a technical issue but is recognized as a fundamental business challenge for most organizations. As the threatscape continues to evolve rapidly in both sophistication and scale, the need to protect organizations’ intellectual property, operations, brand and shareholder value, in addition to their customers’ data, is ever more critical. Advancements in the security industry have not kept pace with today’s diverse set of threat actors; organizations therefore find themselves in a position where off-the-shelf products and traditional services are not sufficient to address the risk. 12% Indeed, there is a need for bolder strategies and innovation in cybersecurity. Preparing Only 12% of organizations for known attacks is challenging enough. But how do organizations build controls for the consider themselves very likely security risks they don’t even know about yet? to detect a sophisticated attack Leading organizations are doing more than improving on their current state. They are seeking to expand their efforts — to take bolder steps — to combat cyber threats and to keep pace with, or even get ahead of, the cyber attackers. Rather than waiting for the threats to come to them, these organizations are leveraging threat intelligence to prioritize efforts that enhance visibility and enable an Active Defense through tailored monitoring, analytics, hunting and prompt detection for their most critical proprietary data and business systems. In recent years, organizations have recognized the benefits of having a well-functioning Security Operations Center (SOC). These include enabling cybersecurity functions to respond faster, work more collaboratively and share knowledge more effectively. First 46% generation SOCs tended to focus upon signature-based controls, such as antivirus and intrusion detection systems, allowing organizations to detect “known bad” artifacts of organizations do not have associated with an attack. The second generation of SOCs heralded the advent of 24x7 a SOC operations in recognition that attackers don’t close for the day, even if your business does. EY is now seeing the emergence of the third generation of Security Operations Centers based around the development of professionally analyzed threat intelligence and cyber analytics to enable an Active Defense. Leading organizations seek to leverage cyber analytics platforms built on large-volume data-processing architecture, or so-called “lambda architecture”. This architecture combines batch and real-time processing and enables anomaly detection capabilities based on mathematics and statistical modelling that can handle terabytes worth of data daily. The third generation of security operations also facilitates proactive breach hunting, the integration of an enterprise cyber threat-management framework and the convergence of data science with security operations, enabling organizations to process large volumes of data for possible early indicators of compromise. A key advantage to deploying a cyber analytics platform is its agility in using data science to speed up the ability to detect and respond to security incidents. This includes mechanisms to slow down the attackers through custom models that prevent them from replicating environments and learning to circumvent deployed controls. All results shown in this report are based on Creating trust in the digital world: EY’s Global Information Security Survey 2015 www.ey.com/GISS2015 Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 1
Using Cyber Analytics to help you get on top of Cybercrime Page 2 Page 4