Discovering Insider Cyber Attacks

Lurking in the shadows behind your favorite websites and apps, cyber attacks are more prevalent than ever. The number of technology systems that enterprises need to defend (such as personal computers and tablets), is constantly growing. Combine this with the constantly evolving nature of cyber threats, and it becomes apparent that new approaches to protecting our security are necessary.

To address this rapid evolution and development of cyber threats, enterprises are turning to big data analytics to detect and defend against attacks. However, the sheer volume of data reporting and false positive rates are daunting to analyze and require a solution to extend data results.

Savanna’s dynamic, all-source analysis environment, combined with Splunk’s Enterprise Security® machine data gathering platform, provides analysts with the functionality to investigate each point of interest, discovering connections and evidence to implement strategies for prevention methods. Because of the complex, quickly evolving nature of this problem, a collaborative and holistic environment is necessary for effective analysis and dissemination. Savanna’s shareable workspace and unique, model-based approach are ideal for analyzing complex problems like cybersecurity.

Savanna Takes on Insider Cyber Threats

A group of analysts decide that they want to explore a triggered Splunk report indicating a potential cyber threat, recent verified cyber attacks and potential prevention methods.

1: Frame the Problem

First, they create a narrative mind map with Crumbnet, Savanna’s narrative mind mapping tool, to outline hypotheses and assumptions about this insider cyber threat incident.

2: Capture Information

With Savanna’s dynamic Occurrence dossiers, the analysts collaboratively populate an information network about a potential cyber attacker that Splunk Enterprise named as a Notable Threat. Occurrences are building blocks that capture people, organizations, things, places and events related to a problem. In this case, the analysts make a “Layton Massop” Person Occurrence. Under its Events section, they add the report of when Massop first triggered the Splunk security alert.

3: Visualize Data to Find Meaning

Linknet
Then, they create a Linknet (Savanna’s link charting tool) to add multiple Occurrences from the information network to visualize connections between Massop and other employees at his company. They add it to the Cybersecurity Space (Savanna’s content problem area) for later use.

Map
With the Map tool, they can geospatially visualize an uploaded CSV of verified cyber attacks with Savanna’s Grid tool. Here, they get a bird’s-eye view of when and where cyber attacks were committed. The temporal filter allows them to examine incidents from different months or years, so they can note any changes in time. They take a screenshot of the Map to be used later in a report and save it to the Cybersecurity Space.

Graphic
With Graphic, they can customize Grid (CSV) data to display as bar charts, line charts and more, depending on the data used. Here, they’ll visualize verified cyber attacks as a bar chart. In the Layers panel, they can customize the Graphic by assigning different colors to the categories within a data series, choosing the number of categories they wish to display, or displaying multiple data series on a Graphic at once in order to easily compare information.

Timeline
With Timeline, they can drop multiple Occurrences, such as various suspected notable threat person Occurrences, onto a visual span of time to draw connections between events within each Occurrence. Visualizing event times from multiple Person Occurrences side-by-side lets the analysts see similar download activity between Massop and an HR employee.

4: Discover New Information

To provide more supporting evidence, they’ll use Savanna’s Search tool to find relevant content. Because Savanna’s Search feature can pull indexed mentions of key terms from within PDFs and Analyst’s Notebook® Charts, they’re able to find a previously built Chart uploaded by another Savanna user outlining the 2014 Sony cyber attack. They can easily add the Chart to their Space to be used as supporting evidence in the Compliance and Transparency Crumbnet.

5: Place Evidence

The analysts then revisit the Crumbnet outlining cybersecurity threats and add discoveries and evidence collected throughout their analysis. From the Space Content panel, they add the cyber attacks Graphic and Map as supporting evidence to a node.The Crumbnet now acts as an evolving, fully sourced summary of the progressing analysis and is shared with team members and exported to PDF to share with people working outside Savanna.

The Result

Now, with the supporting evidence they have created and gathered, they’re ready to compile their findings in a report in Savanna’s Production tool. In Production, they create a multi-page report with their compiled findings, such as an image of the Map depicting verified cyber attacks in Korea and a hyperlink to the Splunk Security app to view similar notable threat reports. Once complete, the Production is shared directly with team members using Savanna and is exported to PDF to send to fellow analysts and decision-makers for further action and prevention.