When you do a dirty, thankless job, no one appreciates you until you’re gone. Cybersecurity is a perfect example: While it’s working perfectly, no one ever thinks about it. But if a major database gets cracked, like the Equifax breach in 2018, it’s big news. If you rely on cybersecurity systems to keep your information and digital-self safe, then you likely don’t care about how many attacks your systems successfully fend off — all that matters is that they worked.
However, cybersecurity companies should consider taking an active role in surfacing the positive impact of their hard work. Analytics and embedded analytics yield all sorts of vital insights that companies can use to better understand how their solutions are working and share that understanding with customers and stakeholders.
Our new GoFigure! Report delves into a Kaggel dataset covering six months of successfully-deflected honeypot attacks made against AWS servers. We’ll dig into what a honeypot attack is and how it works, talk about why Amazon would release this data, why other cybersecurity companies should embrace analytics anad transparency, and what they (and anyone else with a strong analytics solution) can learn about their products.
The Sweet Taste of Success
The cybersecurity data contained in our GoFigure! Report revolves around attacks against AWS servers that were successfully deflected to a “honeypot server.” Much like how a body double draws fire from a high-value target, honeypots function as a decoy. To outside attackers, the honeypot looks like a “real” server (because it is), but the information within it is worthless. It’s just mimicking the APIs and other activity that attackers expect from a server that they want to hit. When an attack goes through successfully on the honeypot, it gets recorded as a “win” by the perpetrators, but they don’t actually end up with anything worth stealing.
Or, as the data will show, for these six months:
That’s a pretty sweet win rate. Do you think the average AWS user knows how good they have it? Probably not, which is one motivator for why AWS would publically release this data.
Unknown unknowns, not to get too philosophical here, are things you don’t know you don’t know. If you’re an AWS user who’s never had their data stolen or interfered with, again, you don’t know how good you have it. Therefore, Amazon releasing the results of six months of successfully-deflected attacks gives all those users a little glimpse at just one way the tech giant is safeguarding their stuff.
The best sign that a cybersecurity system is working perfectly is that nothing bad happens to the users’ data. The second-best sign comes from analytics that lay out the how, who, and when of the attacks and lets the users see what they’d be up against without protective measures. This kind of analysis also helps cybersecurity companies understand how the bad guys are behaving and learn from them to improve their systems in the future.
Knowing Thy Enemy
The AWS servers covered by this report averaged about 16,700 attacks deflected per week. That seems like a lot, and an enterprising cybersecurity analyst could just look at these raw numbers and say “Okay, I’ll build my system to handle 17k attacks a week,” and knock off early for the day.
And maybe they’d be okay.
However, if you’re going to track something, you might as well analyze it. And if you analyze the six months of data, as we did, you’d notice two hot flashes where attacks spike considerably.
Definitely dig into the whole report yourself to unlock exactly what was going on during these times, but it’s obvious that a system built to withstand 17k attacks/week would have failed on these occasions (and on a bunch more weeks!). Already our analyst’s fuzzy math isn’t up to the challenge.
Going deeper into the data, they would see that both of these peak attack times were during relatively short windows (one about 8 minutes and the other about 90 minutes). During these times, the system was inundated with almost a week’s worth of attacks. Now that 17k attacks/week is flatly wrong. That’s the benefit of analytics: you can more fully understand how people are attacking your system and strengthen it accordingly. Pure data and averages don’t tell the whole story and can leave you wide open when it really matters.
Notifications vs. Noticing
Getting desktop notifications about important happenings in your digital life seems like a good idea until you start getting too many of them and they lose all meaning. If you’re a cybersecurity company with a system like Amazon’s, getting 16,000 notifications a week that an attack has been successfully fended off will quickly fade into the background (if it doesn’t drive you completely insane first). Instead of getting a notification every time something important happens, analytics like those in this report give you a bird’s-eye view of important patterns that make you smarter, help you build a better product, and demonstrate value to end users.
Safety First, Analytics Always
If your bank told you it fended off 50,000 attacks a day, you’d take your money out and stick it under your mattress. But you can’t hook up an API to a mattress, so you’re pretty much stuck with some kind of online database solution. Embedded analytics that let you know when attacks have been successfully dealt with can give users peace of mind and help cybersecurity companies understand who’s coming after them, when, and how. They are the missing link between a solution that stands up to today’s threats and one that’s built for tomorrow’s challenges. And they make everyone a lot smarter than a system that constantly pings users with notifications that they will probably just ignore. Think “safety first, analytics always,” when it comes to cybersecurity.Download the full report See the interactive dashboard