Discovering human intent in a sea of data
Cyber security sleuths find badness in the benign.
Skye Wu and her team would make great detectives. Pieces of information that most of us would find routine and benign they find interesting and valuable, and it is that curiosity that allows them to stop breaches before they happen.
Their work at Telstra is by its nature highly sensitive; within the constraints of Telstra’s tight internal privacy policies they examine the data streams that security systems capture to understand where corporate data travels, who can access it and how, and in doing so often answer questions few have thought to ask. They identify activities that hint at security gaps, subversion of policies, and highlight technologies and data in need of stronger protection.
It’s a story few organisations have the capability to tell. Discovery, as the team is known, is a proactive wing of Telstra Cyber Security‘s Threat Research and Intelligence unit established a few years ago in an effort to build a capability to find unknown business risks.
“We rely on the data, expertise and knowledge already possessed within the organisation to illuminate risks and activities that are happening and unseen,” Wu says.
“These activities may be a fact of life, or it could land us on the front page of major newspapers. We won’t know unless we look and seek to understand them.”
Wu described her team’s work at the Australian Women in Security Lunch in Melbourne last month. Wu explained to delegates how Discovery experts start with a question and seek out people, processes, and technologies that help tell the story.
This she says requires critical thinking and an ability to look outside of the Cyber Security’s turf.
Wu and her team of eight draw together benign bits of data and ask questions about it to discover human intent. Activities that hint at concealment might be the use of unorthodox methods by users to work with unwieldy systems, for example.
“Looking at indicators or data in isolation won’t give us the full story,” Wu says. “The reality is that we’re not going to spot the bad guy by looking for someone in a balaclava”.
Discovery teams are most effective with dedicated staff – a resource typically restricted to enterprises – but Wu says even small businesses with a single security staffer can apply the discovery mission statement to learn more about threats emanating from within.
“Small businesses could look over proxy logs and ask ‘who of my staff consumes the most internet data? Are there big fluctuations month to month? Is this normal depending on their role? Who are my top staff whose internet activity keeps getting blocked at the proxy or internet gateway?’,” Wu says. “They may find surprising things.”
There are no bespoke security tools for Discovery teams so Wu and her colleagues are working with universities and Telstra’s Chief Technology Office to develop new intelligent platforms they can use to better interrogate data.
Wu says Discovery teams in large organisations could use their existing data analytics capabilities while those in smaller businesses could use less expensive tools and keep track of data across spreadsheets.