Although you can never truly predict the unexpected, most security applications attempt to do just that. They use attack models built to defend against security breaches that follow known patterns or model behaviors using a series of assumptions about exceptions. The attacks that do get through expose the uncomfortable truth that determined attackers can surprise and circumvent defenses by dynamically changing their tactics.
Database Access in Three Dimensions
Among other projects, my team at the IBM Cybersecurity Center of Excellence is working on the new IBM Security Guardium data visualization feature known as Data Insight, which allows security teams to see database attacks that don’t fit into standard patterns. Data Insight visualization is a unique tool that deploys cognitive technology to produce a dynamic 3-D video display of database access logs.
Data Insight allows security officers to watch thousands of database accesses in seconds, without categorizing or assigning those activities to preconceived assumptions of how an attack is supposed to take place. The tool provides users with hints and insights concerning database accesses in a given environment or period of time, making it very easy and intuitive to spot unexpected access sequences and discover breaches that don’t fit into conventional patterns. Ordinarily, you’d need to review multiple reports to get the same impression. There’s no other tool on the market that displays log accesses in video form in this way.
A New Perspective on Security Breaches
Database accesses provide an interesting perspective on security breaches. Both internal and external attacks often involve databases. But when it comes to insider threats, companies face the very serious problem of being blindsided by their own employees.
Insider threats due to either malicious or negligent employees are quickly becoming a major security challenge. Of the 874 incidents observed for the Ponemon Institute’s “2016 Cost of Data Breach Study,” 568 were caused by employee or contractor negligence, 191 by malicious employees and criminals, and 85 by outsiders using stolen credentials.
In both internal and external database attacks, analysts often look for certain patterns using techniques such as anomaly detection. The problem is that we don’t always know exactly what we’re looking for. Attacks can be very dynamic, and anomaly detection methods always use some inherent assumptions regarding the attacks they aim to find, since they search for general deviations from regular behavior.
Trading False Positives for New Insights
Visualizations can play a key role in data security. Security officers get dozens of reports of data anomalies every day, but many are false positives. It takes time and effort to determine that, however, and it’s often not obvious. That’s where our 3-D visualization solution comes in.
Before developing Data Insight, we showed a security officer a list of anomalies and asked him to identify the real attacks. Although we also gave him a pointer to information in the data, it was not a trivial task for him. We realized that a dynamic 3-D data visualization tool could provide a clear, distinguishable and fast depiction of what’s happening in an organization’s databases.
With Data Insight, we decided to create a different approach and leverage users’ visual capabilities to find things in the data. Rethinking security, we tried to answer this basic question: How can we pour out data in a way that will give security officers a better picture of what’s happening with their databases?
We realized that the best idea was to somehow present things from a different perspective, without any preconceived notions. We believe Data Insight does just that. As a result, it can be a very valuable tool for enterprise security teams.
Data Insight is the result of collaboration between IBM Security, the IBM Research Cybersecurity Center of Excellence and researchers from Ben-Gurion University in Beer Sheva, Israel.