CyberSecurity Analytics to Combat Cyber Crimes
IEEE ICCIC 2018 Keynote Address
Professor Krishnan Nallaperumal
Centre for Information Technology and Engineering
Dean of Science, Manonmaniam Sundaranar university
Tirunelveli, Tamilnadu, India
krishnan@msuniv.ac.in
Abstract—Traditional Cyber Security operates on the premise
of deploying crime prevention technologies at the network
perimeter as the dominant methodology with crime event
management at the backseat. Contemporary heterogeneous
business world demands network access to business partners
via extranet, cloud services and home-working etc. makes
SIEM - Security Information and Event Management into a
complex and complicated task demanding deployment of
Analytics tools in a big way to combat cyber crimes.
Keywords—CyberSecurity; securityAnalytics; cyber crimes;
I. INTRODUCTION
Investigations of Non-Cyber Crimes handled by Police
personnel operate on the hypothesis that criminals will always
leave some threads of crime-trace at the crime site
unknowingly. Such traces give first information on the nature
of crime to be investigated. Rare of the rarest cases, the crime
investigators are left clueless by the intelligent criminals; such
cases are closed with the tag "NOT TRACEABLE". In
contrast, cyber Crimes are fully traceable as it happens in
electronic media that registers every event. However, millions
of cyber crimes go untraced, still worse, many are not even
noticed. Most of the cyber crimes reported are economic
crimes; victims are unaware of the ramifications of other types
of cybercrimes. The root cause of all such problems are the
unmanageable volumes of data clubbed with the ignorance of
cyber citizens. We can effectively handle cyber crimes only
with the help of AI empowered Security Analytics.
II. CONTOURS OF CYBER CRIMES
A. Why Do Cyber Crimes are exponentially higher than
Physical Crimes?
Animals thrive on the premise of 'Survival of the Fittest'.
The Social Animals, the so called 'Wisdom empowered
Mankind' is protected by the multi-layered Social Structures
like Family, Country, Ethics, Civil and Criminal Laws etc. that
prevent them to indulge in physical criminal activities that will
affect their social status and livelihood. Cyber space provide a
perceivable invisibility that emboldens the otherwise cultured
social animals indulge in all sorts of criminal activities in the
cyber space. Further, cyber crimes are not perceived as
heinous crimes on a par with non-cyber crimes by the society
at large are also catalysts to cyber crimes.
B. Types of Cyber Crimes
Cyber bullying and harassment, Conditioning Social
Media for Electoral Gains, Damaging Trade Brands or
978-1-5386-1507-2/18/$31.00 ©2018 IEEE
Promoting Unworthy Products, Financial extortion,
Ransomeware, Internet bomb threats, Classified global
security data theft, Password trafficking, Enterprise trade
secret theft, Personally data hacking, Copyright violations
such as software piracy, Counterfeit trademarks, Illegal
weapon trafficking, Online child pornography, Credit card
theft and fraud, Email phishing, Domain name hijacking and
Virus spreading are some of the cyber crimes listed. Many
victims of cyber crimes are unaware of their being the victims
is the real tragedy of many cyber crimes.
III. DAWN OF SECURITY ANALYTICS
CyberMedia Players of all categories owe access to
appropriate technical solutions to their stakeholders whenever
cyber attacks are unleashed on the stakeholders. Such
technical solutions are essential to combat cyber crimes.
A. Data Thefts Precede CyberCrimes
News Reports on instances of businesses being
compromised by cyber threats are on an unprecedented scale
seen never before. Any cyber attack succeeded in stealing
customer data or intellectual property will consequently be
used in or assist fraudulent activities of cyber Crimes.
Such data theft incidents will lead to loss of customers'
faith in the organizations leading to loss of business and
reputation of the organisation. This can be averted by placing
adequate measures and preparedness to handle any intentional
or unintentional breach of data leading to cyber crimes.
B. Lethargic Attitudes
Unfortunately only 25% of organizations are prepared to
handle cyber incidents in terms of predicting precisely the
impact of such cyber incidents and capability to detect such
incidents immediately after it happened, say, within 12 hours
of the event. The phenomenal rise of such cyber security
breaches and their adverse impact on the business are now
only acknowledged by board-level executives (As per a
research report of Economist Intelligence Unit, funded by
Arbor Networks)
C. Everyone Should be Concerned
The concern for security, risk and compliance should
trickle down from the board-level to the last worker in the
field-level so that everyone in the organization becomes fit to
handle cyber security incidents. Board-level executives should
budget for handling plans and training including mock-drills
 2018 IEEE International Conference on Computational Intelligence and Computing Research
to handle cyber security breaches that are very crucial to make
the organization to respond and handle cyber incidents.
D. Complexity of Modern Networks
Modern networking that include penetration of laptops,
palmtops, granting access to business partners via extranet,
cloud services, and home-working workforce etc. have
collectively made the task of securing the data within an
organization into a nightmare. As hackers employ
sophisticated tools and techniques to crack the complexity of
even the most secured networks, 24x7 cyber security watch
and ward with more ammunitions are a necessity now.
CyberSecurity Analytics Tools come handy to provide
solutions for incident handling teams to combat cyber crimes.
E. Limitations of Conventional Cyber Security Architectures
Conventional Cyber Security Architectures have focused
on preventing threats from entering their networks by
designing layered solutions at the perimeter of Networks in an
organization. The problem with such Security Architectures
are that they provide a very minimal threat detection
capabilities to handle any threat that has penetrated the
perimeter of the security network (using phishing and
watering hole style attacks on a weak password, for instance).
F. Role of Security Analytics
Security Analytics helps immensely to detect and analyze
threats that are already inside the network of an organization
very quickly. Security Analytics provide tools that do the
functions of specialist cyber security services with graphical
displays of rows and columns to make the job of security
specialist easier to spot trends and suspicious activities
running over longer time frames.
G. Security Analytics Tools Minimize the time to identify,
investigate and Resolve a problem
Security Analytics solutions provide efficient tools to the
incident-handling teams allowing inner view of the network
traffic and user activities spread over several days, weeks and
even months. The security team can navigate through all these
information in real time. Security Analytics solutions will
drastically reduce the time taken in the identification of a
problem, its investigation and the resolution, thereby will
minimize the adverse impact on a business and reduces the
risk that attackers will make off with customer data or
business intellectual property.
H. Birth of CyberSecurity Analytics
Security Analytics was never considered as a primary help
weapon to fight cybercrime in the eyes of Cyber Security
professionals for a long time.
When intrusions cannot be prevented in total, and we
witness many intrusions are happening in reality, we need to
include Security Analytics in the team of Cyber Security
Professionals. We need to remember that with the occurrence
of every successful intrusion, the attacker creates a network
event trail that provides a fingerprint of the intruder, marking
the steps he’s taking in the network to pursue his criminal
activity.
IV. ANALYTICS MECHANISMS FOR FIXING CYBER
CRIMES
The data generated by the attacker’s actions is the track-
mark of cybercrime and this becomes the reason for security
analytics evolving as an indispensable weapon to the
CyberSecurity team. We possess the data to investigate and
should deploy analytics to fight the cybercrime. There are
multiple analytics tools available today that have the ability to
gather and monitor the cyber crime data available to perform
faster cybercrime detection.
The goal for the CyberSecurity team will be to figure out
how to make that data work for you. With more volumes of
data, you need analytics to organize, contextualize and
ultimately find the hidden meaning.
For instance, just consider the simple log file that
documents a system’s events. This log data is a good source
for tracking down a cyber crime – after it happened. Any
breach located in a certain area in the log data will give an
excellent clue to the point of intrusion.
The information derived from such log file data are very
crucial for two reasons; as the contemporary networks consists
of staff, business partners and customers accessing data from
the outside of the network's firewall perimeter, log data from
the number of such outer connections are of primary
important; Second, the fact that people use multiple gadgets
and systems to access the network leading to the exponential
increase in the volume of log data make the case of security
analytics very strong.
This is being cited by Mr. David Shackleford, a SANS
analyst, in a report as the fit case for using cyber Analytics to
predict future attacks and breaches to overcome the limitations
of traditional detection tools.
Mr. Shackleford's report[1] analyzes and evaluates
contemporary cyberAttack detection technologies tools
ranging from simple logging, network device events tools to
SIEM - Security Information and Event Management and file
integrity monitoring tools. He observed that these very
important network defense tools also find it difficult to fight
modern cybercrimes in view of the voluminous data generated
by them. When Cyber Security Teams employ several events
detection controls in their response processes, the chances of
missing crucial events and indicators of compromises are
many.
Combining CyberSecurity with Analytics enables better
network visibility. There are three areas in CyberSecurity
demanding the application of Analytics to convert the
voluminous security data into precise vital security
information.
A. Establish Business Context behind the Behaviour
Since we deal with massive network data containing a
lot of complex data, our first area of importance is to
"Establish Business Context behind the Behaviour". For
instance, the information on how a specific computer systems
acts with reference to the other computers in the network will
provide vital clue to evaluate whether its behaviour normal.
 2018 IEEE International Conference on Computational Intelligence and Computing Research
B. Enabling to find Meaningful Patterns and Connections
The specialty of 'Security Analytics' is that it does bulk
load of work intelligently for the Cyber Security Team that
need not have to consistently scan through the data to look for
'security breach events' that raise issues requiring further
investigation. The Machine Intelligence power of 'Security
Analytics' finds patterns and connections by going deeper into
the data, that would not be possible otherwise.
C. Integrating Security Analytics with Incident Response
Program
We need to ensure the visibility and availability of answers
obtained from Security analytics to reach the Incidence
Response team; for this, we need to integrate Security
Analytics into the incident response program.
D. Predictive Security Analytics
Predictive Analytics is all about what can be done before
an attack takes place. It deals with the list of DOs, if there is a
possibility of an attack and predicting an attack. Predictive
Security Analytics helps security experts to determine the
possibility of an attack and helps set up defense mechanisms
even before hackers try and attack.
Go Beyond Signatures: Tracking the trail or signature of
the attacker is one way to help detect the next crime quicker,
but it does not help in prevention of the first crime anyways.
With the help of cyber analytics, experts can monitor activity
across multiple networks and data streams through anomaly
detection techniques and self-learning analytics, involving
Predictive Analytics and Machine Learning.
This actually helps identify threats as they occur and this
concept goes beyond the signature tracking technology. Cyber
Security Analytics also helps quickly detect anomalies in data
streams and network traffic and minimize false positive alerts.
The components of Elementary Security Analytics are
Behaviour Analytics, Data Analysis, Forensics Analysis and
Threat Intelligence.
E. Behaviour Analytics
Behaviour Analytics deploys Behaviour Analyzer (BA)
tools, also known as Breach Detection or Kill-Chain
Analyzers. BA is a class of technologies that analyzes
behavior for Indicators of Compromise (IoC).
Examples of some classes of BA products:
• Network (Breach-detection)
• Host (APT, advanced endpoint)
• User Identity • Cloud
• Dark-Web Intelligence
Uses threat intelligence to be more accurate
BA is not Data loss prevention (DLP), and DLP is not BA
– but they are close.
BA: Network-Based and Full-Packet Capture Behaviour
Analyzers are technologies that are on the lookout for bad stuff
sniff packets in the data. Some Competing Technologies
available today that enable this capabilities are listed below:
• Sandboxing: trap files and pull them apart
• Network Behavior: Track activity on the network
• Packet Capture: Retain full packet capture
These technologies are Hardware and processor intensive
products that are greatly beneficial in IR and forensics.
BA: Host-Based Behavior Analyzers have a very busy
area for competing technologies. We are listing some among
them here with their specific capabilities:
• Sandboxing: trap files and pull them apart;
• System behavior: tracks system calls, watches for series
of suspicious calls in the system;
• Application whitelisting: will allow only trusted
applications to run;
• Statistical Analysis: performs probability analysis of files
being malware and reports the same;
• Memory / Kernel Monitoring: is Watchdog core OS;
• Classic Endpoint: AV, IPS, App Control and USB
Control capable tool;
• Data Loss Prevention: monitors for sensitive content;
• Endpoint Activity: Full screen capture of use behavior;
BA: Identity-Based Behavior Analyzers does Identity-
Based behaviour analysis armed with the capability of
• Tracking user logins and actions across networks,
applications
• Creating baseline of user behavior and spotting
anomalies
Identity based Behaviour Analyzers require endpoint or
directory services integration, have benefits for internal
operations as well. It is to be noted that the Cloud-based
access brokers are only a form of identity-based Behaviour
Analyzer and they can connect with other IdM technologies.
BA: Cloud-Based Behavior Analyzers - Behavioral
analytics is a combination of machine learning, artificial
intelligence, big data and analytics technologies to identify
malicious, stealth behavior by analyzing subtle differences in
normal, everyday activities in order to proactively stop cyber
attacks before the attackers have the ability to fully execute
their destructive plans. Cloud based behavior analysis system
detects zero-day malware Instantly. Cloud-based Analytics in
the cloud vs analytics of the cloud
Messy myriad of technologies here
• Cloud access and security brokers
• Cloud web gateway products
• Hybrid analytics platforms
• SIEM-as-a-Service
 2018 IEEE International Conference on Computational Intelligence and Computing Research
Cloud analysis is extremely difficult and is heavily
dependent upon the cloud vendor.
F. Dark Web Intelligence
Dark-Web Intelligence is an security analytics technique
that actively monitors ―dark web‖ for activities relevant to any
specific business house that include monitoring activities like
• Phishing attacks
• PII in the wild
• Threats against the company / executives
• Highly specialized service offerings
Dark-Web Intelligence is often used for brand protection
and personnel security.
G. Security Analytics Incident Response Tools
Many of these tools can feed an Incident Response
Program (IRP). Indicators of Compromise (IoCs) are the
evidences that a cyber-attack has indeed taken place.
Many products include or offer IoC tracking and case
management. However, None of them can work on a stand
alone basis. Data is extremely valuable in an incident
Prerequisites. To carry out such activities we need
• Solid incident response plan / program
• Storage of data long enough to actually measure response
• Real, live humans looking at the data
• Organizational ability to handle such incidents
H. SOC (System On Chip) based Cyber Security Analytics
Is SOC (System On Chip) based Cyber Security the
Future? The next-generation firewall (NGFW) is a part of the
third generation of firewall technology, combining a
traditional firewall with other network device filtering
functionalities, such as an application firewall using in-line
Deep Packet Inspection (DPI), an Intrusion Prevention System
(IPS) with the following components:
• IDS/IPS
• Web filtering
• Application control
• Endpoint AntiVirus
• Vulnerability management
• Patching
• SIEM (Security information and event management)
• Data loss prevention (maybe)
In other words, you need a mature security program on
place. Finally, don’t Purchase Technology if you Can’t invest
in People, that is crucial for success.
I. Ten Commandments for Cyber Security Analytics
Finally we shall conclude the keynote on Cyber Security
analytics with the identification on Ten commandments for
Cyber Security Analytics to be meticulously followed:
1. Get people, get money, get support
2. Master your SIEM
3. Build an Incident Response Plan (IRP)
4. Implement a core NGFW
5. Implement network-based behavior analyzer capabilities
6. Augment outbound web filtering / proxy
7. Integrate threat intelligence into your SIEM
8. Upgrade or augment endpoint detection capabilities
9. Start storing full-packet captures (consider converged
platform)
10. Start hunting for attacks, rather than waiting for alerts
V. CONCLUSION
Hackers and Intruders carry out attacks by taking
advantage of either the inability of the organizations in finding
the indicators of compromises within their environments
quickly or the delay occurs in responding to these incidents in
fixing the problem quickly. The three guidelines provided
above will empower the cyber security team to effectively
employ CyberSecurity Analytics to identify and remedy
several security holes.
VI. ACKNOWLEDGMENT
I thank profoundly Professor Dr.Krishnan Baskar, Vice
Chancellor, Manonmaniam Sundaranar University, Tirunelveli
for initiating the two Masters Programmes in Cyber Security
and Data Analytics at our department; I thank with gratitude
Professor Dr.Rama Subramanaian, Managing Director,
Valiant Technologies, Chennai and Professor Dr.Madhava
Somasundaram of the Department of Criminology and
Criminal Justice, Manonmaniam sundaranar University,
Tirunelveli for sharing their innovative ideas on Cyber
Security liberally with me. I thank profoundly Professor
Dr.M.Karthikeyan for inviting me to offer this keynote
address.
REFERENCES
[1] Dave Shackleford, "Using Analytics to Predict Future Attacks and
Breaches", A SANS Whitepaper, Jan. 2016, SAS
[2] Thomas A. Runkler, "Data Analytics - Models and Algorithms for
Intelligent Data Analysis", 2nd Edition, © Springer Fachmedien
Wiesbaden 2016.
[3] David Willson, "Cyber Security Awareness for CEOs and
Management", Syngress is an imprint of Elsevier, 2016 Elsevier Inc..
[4] Sandy Bacik, "Building an Effective Information Security Policy
Architecture", CRC Press 2008.