What We Do
How we do it
Resources
SECURITY ADVISORIES
Oct 18, 2021
Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; & Service Companies in U.K. & Europe
Grief Operators Earned an Estimated 8.5 Million British Pounds in Four Months Key Findings: The Grief Ransomware Gang (a rebrand of the DoppelPaymer Ransomware Group) claims to have infected 41 new victims between May 27, 2021—Oct. 1, 2021 with their ransomware.Over half the companies listed on Grief’s underground leak site are based in the U.K. and Europe. The Grief Ransomware Gang appears to…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
PARTNER RESOURCES
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Feb 25, 2019

Want to weed out anomalies? Use an adversary mindset

As originally posted on Security Boulevard, January 24, 2018

When it comes to anomalies, the sheer volume can be overwhelming. How do you separate the potentially malicious from the purely anomalous? One strategy is to use the adversary mindset as a framework for understanding what an adversary would do and why, and then examine how these anomalies line up with the framework of what a threat actor would do. This is the type of situation in which artificial intelligence and machine learning can be used effectively. So how can organizations apply this approach and use AI/ML to their advantage? Read on.

Anomaly Overload

When appropriately tooled (or engineered) to detect anomalies, enterprises often discover a high volume of them. There can be literally thousands of them generating alerts daily or weekly. These anomalies may be relevant for security, IT or policy reasons—or a combination thereof. At a high level, the problem is that some degree of analysis is required to determine the importance of each anomaly and what follow-on steps are appropriate.

The problem then is that much of the security analyst’s time is spent chasing down what often end up as IT or policy issues, not security ones. These security false positives take up valuable analytical time that could be used in more high-value projects and may give the actual security events more time to wreak havoc without detection. Thus, the network becomes even less secure.

The Adversary Mindset

How do you address this overwhelming number of anomalies in a more nuanced way? It’s important to understand what they are within the context of your network and which ones are actually malicious. Adopting an adversary mindset is key.

In terms of security, to extract value out of your anomaly detection solution, you need to think about the ways your adversaries would gain access to your network:

Use this framework to understand the anomalies you are seeing.

The Tactical Advantage of AI

Where does AI fit it? One of the core challenges here is how to find the anomalies in the first place. There are a couple of different ways to tackle this, and AI comes into play in both a tactical and strategic way.

At the tactical level, AI can be used to get a deep contextual understanding of the network and detect anomalies based on known and previously seen modes of behavior between hosts and between users, within the network.

With that, AI can help security professionals understand what “network normal” looks like. It’s critical that the network’s model of normal is constantly updated. Networks are incredibly dynamic and can change daily and hourly, at the minimum. This dynamic nature means you must have a way to continually update your understanding of what the network normally looks like to have a rolling baseline that is accurate. AI provides a way to address this problem.

The Strategic Advantage of AI

Though it’s important to consider how an adversary thinks and acts, putting these insights into practice can be extremely difficult given the volume of data coming out of a large enterprise network. In this machine-scale era, you are likely to be dealing with a scale of data that is far beyond what a human can really comprehend and link together.

Not all of this data is available in the same location, either. To effectively detect anomalies, you need the ability to access data from a variety of what likely are siloed data sources. AI really starts to lend its value here. Applied appropriately, AI can be used to link these previously siloed data sources together in a way that humans just cannot do by eyeing it.

Cutting Through the Noise

Today’s network security systems can become victims of their own success, so good at spotting anything out of the ordinary that IT security teams are deluged with more alerts than they can possible wade through. This creates alert fatigue rather than stronger security. Artificial intelligence is able to apply an understanding of how adversaries think and what methods they use to the anomaly landscape. This allows it to weed out the majority of harmless anomalies to focus on those that pose an actual threat to the network.

Jason Kichen
Jason Kichen Director of Cybersecurity Research and Operations

Jason brings nearly 15 years of experience working in the U.S. intelligence community as an expert in technical and offensive cyber operations. He was responsible for the design and execution of advanced technical operations all over the world. He has extensive experience against hard targets and has interacted with the most senior levels of the U.S. government.