Cybersecurity

EXPERT ADVICE

Big Data and the London Olympics Cybersecurity Challenge

Security has been a top concern of the Olympic Games ever since that fateful day in September of 1972 when terrorists killed members of the Israeli Olympics team. Since then, each Olympics has only increased its level of security consideration.

The more recent games have had to focus as much on cybersecurity as they have on physical security. A threat to the Olympics no longer has to reside in the host city; they can wreak havoc across oceans.

Imagine the discomfort and chaos a remote hacker could achieve if able to compromise the water control and sewage systems for the Olympic campus. The result is that where previously, maybe hundreds of threats had to be managed, today Olympic organizers must prepare to defend against millions.

The State of Cybersecurity: Much Worse

In the most recent Beijing Olympics, it is estimated there were 12 million potential cybersecurity threats each day. The reality is the majority of these threats were easily mitigated — routine cybersecurity attacks from automated tools and moderately skilled attackers. However, within those millions of benign threats, there were legitimate concerns as well. This presents a significant challenge: how to find the real threat within the noise.

For the upcoming London Olympic Games, organizers are doing their best to prepare for this challenge. State of the art systems have been implemented to monitor hardened networks and systems. Security Operation Centers (SOC) have been staffed to monitor threats 24 x 7. Ethical hackers have been employed to test the security and capability of systems and staff. The question is, will it be enough?

Since the Beijing Olympics, the state of cybersecurity in general has become worse — some would argue much worse. Cybercrime has increased with criminals enjoying a much more mature cybercrime supply chain that fuels and amplifies their efforts.

Hacktivism has reached an all-time high and the threat of cyberterrorism has never been more real — both also enabled by this same cybercrime supply chain. Olympic organizers will need to contend with these threats — and more — at a volume, variety and velocity never seen before.

Not coincidentally, these same three “V’s” — volume, variety and velocity — comprise Big Data, and it is Big Data that will help secure the Olympics.

Real-Time Threat Detection

Example

A terrorist organization has compromised the account of an Olympic organizer IT admin. One of its members, Joe, has also gotten a job on the IT helpdesk. Joe uses his door badge to let Jane, a skilled hacker, into a secured office setting and then into a LAN closet with a computer terminal.

Jane authenticates to the network using the compromised IT admin account and begins to probe the network. The SIEM detects the following and raises the alarm:

Abnormal Pattern:

  • An employee identified as Joe entered the LAN closet.
  • An employee identified as Gary (the compromised IT admin account) logged into the terminal in the LAN closet.

Abnormal Behavior

  • Gary has never authenticated to that terminal based on past observed behavior.
  • Gary has never connected to some of the systems being probed by the attacker impersonating Gary.

A SOC analyst immediately begins investigating the alarm. First a search is run on all activity for Gary. It immediately shows that Gary has never badged into the LAN room, much less 1 minute ago. It also shows that Gary just authenticated to another terminal in a data center 30 minutes away.

The threat is real. As the first countermeasure, the switch port the attacker is using is reconfigured as part of containment VLAN. This is done so that the attacker doesn’t realize she has been detected. Security is notified and is able to apprehend the attacker w/o incident.

Almost all activity that occurs on a digital system involved in the operation of the Olympics will generate activity logs. These logs can provide insights into the health of a system, what a user accessed, where someone logged in from, if network activity appears malicious, etc. If these logs can be effectively harnessed, they can help keep the Olympics secure.

For the duration of the Olympics, thousands of logs will be generated every second, resulting in millions — if not billions — per day. This is a velocity of data a human operator simply cannot contend with.

Petabytes of log data will likely be generated before the games’ end. This is a volume of data that presents significant technical challenges to store and manage effectively. The type of log data collected will vary greatly. Logs will be generated across all layers of IT and physical security infrastructures — firewalls, routers, servers, applications, point-of-sale systems, door badge readers, etc. This is a variety of data that presents profound analysis challenges.

In support of defending against threats, a Security Information and Event Management (SIEM) solution has most assuredly been deployed. A primary role of this solution will be to detect threats that evade preventive measures or originate from within the internal networks.

If the deployed SIEM is a state-of-the art next generation solution, it will need to collect all log data generated across the Olympics IT infrastructure and physical security systems. It should feed this information into real-time analysis engines that can look across this massive data set and identify the threats within. This is Big Data applied to real-time log data correlation, pattern recognition and behavioral analysis.

Another primary role of the SIEM solution will be helping SOC operators respond to threats detected from automated real-time analytics or via manual analysis by security teams. In this role, the SIEM will need to provide fast access to forensic data for further analysis, decision making, and response.

Logs will need to be infused with context and additional intelligence to support meaningful analysis and provide situational awareness. Ideally, the SIEM will be capable of implementing automatic response and countermeasures to verified threats. This is Big Data applied to forensic data search, analysis and response.

It is hard to predict whether this year’s Olympics will survive a high-profile security incident. What is sure is that this year will be the most challenging yet in terms of cybersecurity.

Fortunately, technology has advanced our ability to handle and harness Big Data in meeting this challenge. If the worst thing reported on the Olympics is my country not winning enough gold medals, I’m confident next generation SIEM’s Big Data abilities will have had a huge part to play.

Chris Petersen is CTO and cofounder of LogRhythm, a log management and SIEM 2.0 IT security company.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels