What We Do
How we do it
Resources
SECURITY ADVISORIES
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Feb 25, 2019

Want to weed out anomalies? Use an adversary mindset

Speak With A Security Expert Now

As originally posted on Security Boulevard, January 24, 2018

When it comes to anomalies, the sheer volume can be overwhelming. How do you separate the potentially malicious from the purely anomalous? One strategy is to use the adversary mindset as a framework for understanding what an adversary would do and why, and then examine how these anomalies line up with the framework of what a threat actor would do. This is the type of situation in which artificial intelligence and machine learning can be used effectively. So how can organizations apply this approach and use AI/ML to their advantage? Read on.

Anomaly Overload

When appropriately tooled (or engineered) to detect anomalies, enterprises often discover a high volume of them. There can be literally thousands of them generating alerts daily or weekly. These anomalies may be relevant for security, IT or policy reasons—or a combination thereof. At a high level, the problem is that some degree of analysis is required to determine the importance of each anomaly and what follow-on steps are appropriate.

The problem then is that much of the security analyst’s time is spent chasing down what often end up as IT or policy issues, not security ones. These security false positives take up valuable analytical time that could be used in more high-value projects and may give the actual security events more time to wreak havoc without detection. Thus, the network becomes even less secure.

The Adversary Mindset

How do you address this overwhelming number of anomalies in a more nuanced way? It’s important to understand what they are within the context of your network and which ones are actually malicious. Adopting an adversary mindset is key.

In terms of security, to extract value out of your anomaly detection solution, you need to think about the ways your adversaries would gain access to your network:

Use this framework to understand the anomalies you are seeing.

The Tactical Advantage of AI

Where does AI fit it? One of the core challenges here is how to find the anomalies in the first place. There are a couple of different ways to tackle this, and AI comes into play in both a tactical and strategic way.

At the tactical level, AI can be used to get a deep contextual understanding of the network and detect anomalies based on known and previously seen modes of behavior between hosts and between users, within the network.

With that, AI can help security professionals understand what “network normal” looks like. It’s critical that the network’s model of normal is constantly updated. Networks are incredibly dynamic and can change daily and hourly, at the minimum. This dynamic nature means you must have a way to continually update your understanding of what the network normally looks like to have a rolling baseline that is accurate. AI provides a way to address this problem.

The Strategic Advantage of AI

Though it’s important to consider how an adversary thinks and acts, putting these insights into practice can be extremely difficult given the volume of data coming out of a large enterprise network. In this machine-scale era, you are likely to be dealing with a scale of data that is far beyond what a human can really comprehend and link together.

Not all of this data is available in the same location, either. To effectively detect anomalies, you need the ability to access data from a variety of what likely are siloed data sources. AI really starts to lend its value here. Applied appropriately, AI can be used to link these previously siloed data sources together in a way that humans just cannot do by eyeing it.

Cutting Through the Noise

Today’s network security systems can become victims of their own success, so good at spotting anything out of the ordinary that IT security teams are deluged with more alerts than they can possible wade through. This creates alert fatigue rather than stronger security. Artificial intelligence is able to apply an understanding of how adversaries think and what methods they use to the anomaly landscape. This allows it to weed out the majority of harmless anomalies to focus on those that pose an actual threat to the network.

View Most Recent Blogs
Jason Kichen
Jason Kichen Director of Cybersecurity Research and Operations
Jason brings nearly 15 years of experience working in the U.S. intelligence community as an expert in technical and offensive cyber operations. He was responsible for the design and execution of advanced technical operations all over the world. He has extensive experience against hard targets and has interacted with the most senior levels of the U.S. government.