CYBER SCAPE AFRICA | Q2
2019
CYBER-
SECURITY
DATA
ANALYTICS
Cyber analytics – how to
hunt something in absolute-
ly everything
Similarly, cyber analytics would refer to comput-
ing networks and the discovery, analysis and
interpretation of patterns in data. So, let’s say we
discover, analyze and interpret a real-world
example of anomalous activity and patterns. The
visualization (a.k.a. the graph) below shows a
baseline of normal behavior with anomalous
activity highlighted (by the red dots). Now,
before you pull your face – this is not a sales
pitch – you can do this with FOSS (Free Open
Source Software), like Elastic, Prelert or Timelion
(www.elastic.co).
For the brave few:
Introduction - the dawn, of
the age, of the planet, of
intelligence
Data source selection - care-
fully selecting absolutely
everything
We no longer live in the information age, rather
we struggle with information overload. We crawl
furiously through our Google search results,
finding nirvana somewhere between page 10 and
15. However, for the indefinite optimistic like
myself, it is the dawn of a new era – the age of
intelligence. At a high level, data is consumed to
form information; which gleans knowledge;
ultimately giving birth to the holy grail of intelli-
gence. This seems obvious, but still we choose to
call an array of malicious IP addresses, DNS
names and file hashes “threat intelligence” (low
blow, I know). Not that I’m complaining about the
semantics, I’m simply highlighting the fact that
we could, and should, add a few steps.
This is, or could be, a good point to introduce the
concept of cyber intelligence. Simply put, cyber
refers to computing networks and intelligence
refers to the collection, analysis and interpreta-
tion of information. For example, I describe
Snode Guardian by 3 core features – data fusion,
machine analytics and interactive visualization.
The natural question to surface will be – of what
data? Now, this is where I disagree with most
people. I don’t think logs are sufficient. Further-
more, I don’t think full packet capture is suffi-
cient. Snode consumes everything inside your
business – including open and closed sources
outside your business.
Discovery is done, let’s do
the analysis. Now, we
isolate the specific protocol
that caused the anomalous
pattern of behavior. The
visual analytics (graph)
shows the activity is web
traffic, specifically HTTP
(Hypertext Transfer
Protocol), with an evident
anomalous spike of activity.
24