The value of data science in security
- 18 July, 2018 15:27
Data science is no longer just another business domain that security needs to harden and protect: it is becoming a core function of security itself.
This is a major change compared to even two years ago.
Consider the Australian government’s 2016 cyber security strategy, which pointed to the role that security would play in helping businesses properly harness big data.
To “fully realise” big data - and hence data science - opportunities, “these technologies and the infrastructure on which they operate must be trusted”, the government noted. “Strong cyber security will enable this.”
Likewise, Data61 - whose mission is “to create Australia’s data driven future” - indicated around the same time that it would not be able to achieve that vision without addressing “national challenges around cyber security.”
In both cases, security was seen as an input or ingredient needed to allow businesses to step towards a data-driven future.
This is true - but the tables can also be turned. Security has a data-driven future of its own to achieve, in which data science is the essential ingredient needed to enable security organisations to achieve success in this domain.
One of the most commonly-cited examples of data science for security purposes comes from the banking and insurance industry. There, data science brings together a combination of analytics and machine learning to detect fraudulent transactions.
By scanning various datasets relating to user and network behaviour, companies can detect anomalies and either respond or generate an alert – prioritised according to threat level – for security professionals to investigate further. This basic premise can be put to work for countless security applications: detecting attempted intrusions on a company network, identifying users acting against corporate policies, or managing risk.
Thanks to machine learning, models and algorithms can be refined further over their lifetime – reflecting changes in staff behaviour, alterations in the technology using the network, or evolution in the threat landscape – to reduce the number of unnecessary alerts that staff are called on to look into. However, as with any data science project, those in security can only advance with the right fuel – the appropriate data. With the falling cost of storing data and the increasing ease of gathering it, businesses may succumb to the temptation of collecting as much information as possible and holding on to it for as long as they can.
With the advent of GDPR focusing minds on issues of data and consent, businesses may choose to examine how much of what they accumulate and keep is really necessary.
In security, too much data can make it difficult to validate use cases for data science. While you can never have enough data to perform predictive analytics on, data science for security tends to be a lot more focused. When searching for patterns and anomalies, it may pay to do so on a smaller sample of data.
Structurally, how data science is applied in the infosec domain is still an open question.
While larger companies may now be investigating data science or have already set up a practice within the organisation, only a small proportion will have a dedicated security wing. This is likely to be because the jury's still out on whether data science should be a centralised or line-of-business set-up. However, data science has a lot to offer the IT department, whichever department it reports into. One of the key advantages that well-deployed data science can offer is that it typically has a great focus on demonstrating the business value of its projects, leaving the board in no doubt as to the return on investment of its projects – and giving those in the IT department valuable ammunition when asking for more funding.
The first step for businesses looking to embark on a data science project is to identify the business need that it will address. From there, the data comes into its own: organisations need to query if they have the information they need to generate the insight they require – and if not, develop a plan to do so – and meet that business need.
Data science in general offers a way for businesses to profit from the data they hold in order to improve their processes and operations.
In the field of security, it is opening new possibilities to query diverse datasets and use the information they've gathered to block would-be attacks, investigate potential threats, and automate security practices.
Data science is proving its value to the broader business. The onus on security organisations now is to prove and validate that it can do the same for our own specialist domains.