• by Kasey Cross , Op-Ed Contributor, February 28, 2017

Reputation and integrity are the two hallmarks of media. These are hard to earn and easy to lose.

Accuracy, bias and perspective can affect these values, but an extraordinary event like a cyberattack could permanently undermine the standing of a media company. While accusations of “fake news” may cause a temporary upset, manipulation by a network intruder could cause irreparable damage.

According to an 18-month-old study by Newscycle Solutions, over 50% of media companies around the world have been the victim of a cyberattack. So far, with the exception of the Sony breach, many of these attacks resulted in minimal damage, but the potential impact can be huge.

Imagine if an attacker gains access to your network and can read, steal or tamper with any information or story unbeknownst to anyone at your publication.

This is today’s cybersecurity reality: a motivated attacker can get into any given network and work there undiscovered for months or even years.

Today, the industry average for the amount of time to discover an active network intruder is five months, plenty of time to accomplish malicious purposes. The trouble is most organizations lack the ability to find an active attacker.

Most security is geared toward preventing an attack rather than accepting that an attacker will eventually find a way in and seeking to detect them as soon as possible.

The obvious starting point is to address this detection gap.

Management should ask their security or IT teams if they can find a network intruder attacker or rogue insider at work on the network. Today, most will have to admit that they cannot. The follow-up question is, “How” and “What is your level of confidence?”

Attackers can best be found through their operational activities. They use networking and admin tools and procedures that can easily blend in with other network traffic, eschewing malware altogether. Their actions can stand out against a baseline of normal activity, if one can profile the normal or acceptable activity for all users and devices connected to the network.

It’s a job for machine learning, since it exceeds the ability of human analysts due to the vastness of data, the ability to understand it and the speed at which it must be performed.

Once one can establish ongoing profiles of users and devices, machine learning can be used to detect anomalies. These anomalies need to be analyzed for signs of a cyberattack to avoid flooding operators with a staggering number of security alerts and to provide a level of precision that accurately pinpoints the attacker.

Using this methodology not only detects and defeats a malicious insider or targeted external attacker, but it can also be used to show that the network is safe and free from any attack activity. Such a level of assurance is important to satisfy internal accountability but can also be used to validate the overall integrity of the network.

If this detection gap does exist for your organization, make it a priority to address it. There are promising new tools, and, when coupled with new security procedures and priorities, they should be able to uncover a network attacker before there is theft, manipulation or damage to assets.