Security Analysts vs. Cybercriminals

Security Analysts vs. Cybercriminals

Data has become a popular target of theft, particularly in the financial sector. From her post in the Security Operations Center of SIX, security analyst Evrim fights on the front lines to thwart digital raids.

The signal column on the right above her desk suddenly lights up, flashing red. A piercing alarm sounds. Evrim stays calm. A glance at the four monitor screens facing her shows no security related incident. She can resume the briefing with her colleague from the night shift, whom she is relieving. Were there incidents that he had to analyze? What trends should she continue to keep an eye on? Were there perhaps even actual cyberattacks? Everything was quiet, is the response. There were no particular incidents at the Security Operations Center (SOC) of SIX.

But what about the alarm just now? Every day the SOC surveils up to two billion access requests to the IT infrastructure operated by SIX that interconnects the players in Switzerland’s financial sector. That infrastructure is accessed 30,000 times per second during peak moments. “All acts of accessing this network potentially pose a security issue,” Evrim explains. Very few of them trip an alarm, though, and even fewer of them actually constitute a danger. “But I have to check into them nonetheless.” That’s her job as a security analyst. Evrim monitors the networks operated by SIX and those operated by clients in real time and instantly reacts if a suspicion hardens.

I like to compare the Security Operations Center of SIX to a police station – an ultramodern police station.

Individual access events say little, though, as correlations first emerge in the aggregate. That’s why the security analysts in the SOC get assistance in establishing such correlations from a variety of sources, including IBM Watson. The analytics software graphically depicts network access activity, making even the hidden visible. Cognitive computing enables IBM Watson to continually learn and to import knowledge from other sources.

In the meantime, Evrim has finished the briefing with her colleague. She starts to scroll through her e-mail inbox. Part of her job is to answer a steady influx of queries about security matters from other departments and teams at SIX. While she does that, she nevertheless always maintains an overview of all network activity, also thanks to the SOC’s multiple giant four-square-meter wall screens. It takes time to answer the e-mails, but it’s a very worthwhile task. “Sensitizing our colleagues to cyber security facilitates our work here in the SOC. Every phishing e-mail that doesn’t get opened means one less alarm to deal with.”

Industrialization of Cybercrime

As if her statement needed corroboration, the surveillance system chimes up again. And this time, a phishing attempt has indeed occurred. Evrim analyzes the incident and rates it as a threat. A colleague evidently was lured by a fake e-mail message to a malicious website and unwittingly picked up malware there. The response unfolds lightning-quick. Going by the book, Evrim immediately notifies her internal contacts and informs them of all the details. The experts on containing and removing malware threats are reachable, and they likewise take immediate responsive action. The communication channels function flawlessly. The phishing attempt is thwarted.

“The attacks are becoming ever more sophisticated and their frequency is continually increasing,” Evrim says, attributing this to the growing industrialization of cybercrime. “A cybercriminal used to have to manage the entire production chain on his own. In the case of a phishing attack, he had to compose the e-mail himself and make it look credible, and had to send it himself. He not only needed addresses to do that, but also the requisite software. And then he also had to build the website that he wanted to lure his victims to. Today he just buys all of that as a complete package easily and inexpensively. With money laundering perhaps even included.”

The words she uses make it clear: The job of security analyst also requires a flair for criminology. “I like to compare the SOC to a police station – an ultramodern police station. We, too, hunt down crooks, but crooks who shoot bits instead of bullets.” Evrim has never attended a police academy, though. She is a trained computer scientist with specialization as a systems engineer and holds an additional certification in cyber security. She is currently pursuing a bachelor’s degree in application development.

No Such Thing As Absolute Security

Evrim and her colleagues in the SOC are not battling alone against cybercriminals. The threat analyses of SIX draw on information from an entire network that continually delivers updates on present dangers. “That way we are constantly learning very quickly. Nevertheless, there is no such thing as absolute security,” Evrim notes matter-of-factly. “We can gird ourselves against a lot of threats, but it’s impossible to completely apprehend every one of them before they surface.” If it were possible, that would probably be too boring for the inner detective in Evrim. “As long as everything functions according to plan in the end, it’s sometimes nice to have a little action,” Evrim admits as she looks forward almost with glee to the next alarm. But this day triggers no further alarms. Everything stays quiet through the end of her workday. Now it’s her turn to brief her colleague taking over the next shift, because the SOC never sleeps.