Individual access events say little, though, as correlations first emerge in the aggregate. That’s why the security analysts in the SOC get assistance in establishing such correlations from a variety of sources, including IBM Watson. The analytics software graphically depicts network access activity, making even the hidden visible. Cognitive computing enables IBM Watson to continually learn and to import knowledge from other sources.
In the meantime, Evrim has finished the briefing with her colleague. She starts to scroll through her e-mail inbox. Part of her job is to answer a steady influx of queries about security matters from other departments and teams at SIX. While she does that, she nevertheless always maintains an overview of all network activity, also thanks to the SOC’s multiple giant four-square-meter wall screens. It takes time to answer the e-mails, but it’s a very worthwhile task. “Sensitizing our colleagues to cyber security facilitates our work here in the SOC. Every phishing e-mail that doesn’t get opened means one less alarm to deal with.”
Industrialization of Cybercrime
As if her statement needed corroboration, the surveillance system chimes up again. And this time, a phishing attempt has indeed occurred. Evrim analyzes the incident and rates it as a threat. A colleague evidently was lured by a fake e-mail message to a malicious website and unwittingly picked up malware there. The response unfolds lightning-quick. Going by the book, Evrim immediately notifies her internal contacts and informs them of all the details. The experts on containing and removing malware threats are reachable, and they likewise take immediate responsive action. The communication channels function flawlessly. The phishing attempt is thwarted.
“The attacks are becoming ever more sophisticated and their frequency is continually increasing,” Evrim says, attributing this to the growing industrialization of cybercrime. “A cybercriminal used to have to manage the entire production chain on his own. In the case of a phishing attack, he had to compose the e-mail himself and make it look credible, and had to send it himself. He not only needed addresses to do that, but also the requisite software. And then he also had to build the website that he wanted to lure his victims to. Today he just buys all of that as a complete package easily and inexpensively. With money laundering perhaps even included.”
The words she uses make it clear: The job of security analyst also requires a flair for criminology. “I like to compare the SOC to a police station – an ultramodern police station. We, too, hunt down crooks, but crooks who shoot bits instead of bullets.” Evrim has never attended a police academy, though. She is a trained computer scientist with specialization as a systems engineer and holds an additional certification in cyber security. She is currently pursuing a bachelor’s degree in application development.
No Such Thing As Absolute Security
Evrim and her colleagues in the SOC are not battling alone against cybercriminals. The threat analyses of SIX draw on information from an entire network that continually delivers updates on present dangers. “That way we are constantly learning very quickly. Nevertheless, there is no such thing as absolute security,” Evrim notes matter-of-factly. “We can gird ourselves against a lot of threats, but it’s impossible to completely apprehend every one of them before they surface.” If it were possible, that would probably be too boring for the inner detective in Evrim. “As long as everything functions according to plan in the end, it’s sometimes nice to have a little action,” Evrim admits as she looks forward almost with glee to the next alarm. But this day triggers no further alarms. Everything stays quiet through the end of her workday. Now it’s her turn to brief her colleague taking over the next shift, because the SOC never sleeps.