UFCFFY-15-M

Cyber Security Analytics

01: Introduction

Prof. Phil Legg

About Me

http://www.plegg.me.uk

Co-Director:

UWEcyber ACE-CSE (NCSC-certified)

Programme Leader:

MSc Cyber Security (NCSC-certified)

IoC Skills Bootcamp

Module Leader:

Cyber Security Analytics;

Security Data Analytics and Visualisation

Research Interests: Cyber security, Machine learning, Visualisation - insider threat, security analytics, adversarial AI, explainable AI

Module Information

Schedule

• Lecture: Wednesday 09:00-10:00 (1 hour)
• Practical Lab: Wednesday 10:00-12:00 (2 hours)

Please check your UWE timetable for room information.

Assignment

This module is assessed by a portfolio that is worth 100% of the marks.

• Task 1 (Release Week 2, 20%): Conduct an investigation on a web application to identify malicious attack activity using Python data science libraries.
• Task 2 (Release Week 4, 20%): Conduct an investigation on a URL database to develop a DGA classification system using machine learning techniques.
• Task 3 (Release Week 6, 40%): Conduct a research study using a virtualised infrastructure to simulate attacks and identify these through a SIEM platform.
• Task 4 (Release Week 8, 20%): Produce a video presentation for a prospective employer that presents your practical work and provides a critical reflection of your learning.

Submission date: 12th May 2022 (Week 13). Submission to be made via Blackboard.

Module Overview (Weeks 1-6)

• Week 1 (2nd February): Role of Cyber Security Analytics
• Week 2 (9th February): Security Operations and Frameworks (Task 1)
• Week 3 (16th February): Security Monitoring and Analysis
• Week 4 (23rd February): Machine Learning for Cyber Security (Task 2)
• Week 5 (2nd March): Visualisation for Cyber Security
• Week 6 (9th March): Mid-module review (Task 3)

Module Overview (Weeks 7-12)

• Week 7 (16th March): Cyber Security Analytics Research
• Week 8 (23rd March): Case Study: Malware Analysis
• Week 9 (30th March): Case Study: Insider Threat Detection
• Week 10 (6th April): Case Study: Text Analytics

---

Easter Break

---

• Week 11 (27th April): Future of Cyber Security Analytics
• Week 12 (4th May): Module recap

Feedback

• Please do make use of the online Q&A form (linked via Blackboard) to post your course questions.
• Please do regularly check your emails to observe course annoucements.
• Please do bring your questions to lab sessions so that staff can assist you.
• You will receive formative feedback on your work during lab sessions, please use this to develop your final submissions.
• You will receive summative feedback at the end of the course on return of your assignments.

Other useful resources

• CyBOK: Security Operations and Incident Response
• CyBOK: Malware and Attack Technologies
  • This course is aligned to these two CyBOK Knowledge Areas.
• Certification: CompTIA Cybersecurity Analyst (CySA+)
  • This course covers many of the topics related to this industry certification.
• Employability: UK Cyber Security Council
  • This resources covers career paths that align with the skills developed in this modules.

01: Role of Cyber Security Analytics

In this session we will cover:

• What is the role of a Cyber Security Analyst?
• Roles, responsibilities, skills required, job opportunities
• Why is Data Science important to Cyber Security?
• What kind of tools exist to integrate Data Science and Cyber Security?

What is the role of a Cyber Security Analyst?

What do you think Cyber Security Analytics is all about?

• Understanding data related to your organisational security
• Developing situational awareness: past, present and future
• Identifying and responding to threats

What kind of data may be useful?

• Network traffic
• System logs
• Application data
• Email activity
• Reputation / threat database - blacklists of known threats
• Open-Source Intelligence (OSINT)

"Cyber Security Analytics is about how data can be used to inform of threats, vulnerabilities and risk that an organisation may be exposed to."

It is a defensive strategy to better understand the operational environment of digital assets, and a means to make better informed decisions to protect and defend the organisation.

Cyber Security job roles

Entry level

• Cyber security analyst
• Cyber security specialist / technician
• Cyber crime analyst / investigator
• Incident analyst / responder
• IT auditor

Mid level

• Cybersecurity analyst
• Cybersecurity consultant
• Penetration and vulnerabilitiy tester

Advanced level

• Cybersecurity manager / administrator
• Cybersecurity engineer
• Cybersecurity architect

Job Opportunities

• Junior Cyber Security Analyst
• Junior SOC Analyst
• Junior Information Security Consultant
• Useful article on SOC analyst job role by CSO online
• Cyber Security Career Pathways

Example

"Senior Threat Analyst - Microsoft"

Link

Security Intelligence is a process

• Requirements (Planning and Direction)
• Collection (and processing) - SIEMs
• Analysis - ML, AI, data science - all analysis done in the context of a user case developed in the planning stage.
• Dissemination
• Feedback

Security Intelligence vs Cyber Threat Intelligence

• Security intelligence tends to be an inward facing activity - internal observations in our logs.
• Cyber threat intelligence tends to be an outward facing activity - external threats that we need to prepare for.

Are we dealing with narrative reports or with data feeds? We need to consider both!

Network Security Tools

• Network traffic data (e.g., packet captures) can be used to identify what information has been communicated, and therefore what activity has taken place on a network (e.g., access to a particular URL, or downloading of particular files).

• Firewalls can be used to block inbound/outbound activity based on pre-configured rules (e.g., IP address, port number, etc...).

• Intrusion Detection Systems (IDS) inspect inbound/outbound network traffic to identify suspicious activity.

• Intrusion Prevention Systems (IPS) inspect inbound/outbound network traffic to identify suspicious activity and automatically block.

Big Data Security Analytics

“Security is about understanding systems, the people, and the processes that act upon these systems, such that they remain secure”

Security Data Visualization Skills

Data science and security visualisation requires the following blend of skills that combines the ability to hack and manipulate data, the understanding of statistical techniques, and the domain knowledge of what information is relevant and important for the purpose of security.

• Substantive Expertise – This is the security domain knowledge, which will enable the security practitioner to understand the data, determine what is expected and find anomalies or metrics from visualization.
• Hacking Skills – Hacking skills are the skills from a data scientist language required for working with massive amount of data that should be acquired, cleaned and sanitized.
• Math & Statistics Knowledge – This knowledge is critical to understand which tools to use, understand the spread and other characteristics to derive insight from the data.

Data-Driven Storytelling

• Novelty: We may want to observe when something is new within our observation.
• Outlier: We may want to observe when something not new appears different within our observation.
• Trend: We may want to observe the historical pattern of observations.
• Forecasting: We may want to observe how the historical pattern will forecast what may come in the future.
• Debunking: We may want to observe how our data contradicts an opinion of what may come.

Further reading

• Sarker, I.H., Kayes, A.S.M., Badsha, S. et al. Cybersecurity data science: an overview from machine learning perspective. J Big Data 7, 41 (2020). https://doi.org/10.1186/s40537-020-00318-5
• Maayan, G. How Data Science Has Changed Cybersecurity. Datasciencedojo (2020).

Practical Session

1. Get started with the UWEcyber Virtual Machine
2. Explore JupyterLab for Python notebooks
3. Explore the lab examples:
   • 00-Python Primer
   • 01-"Hello, Security Analytics"
   • 02-Network Traffic Analysis