Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
As originally posted on Security Boulevard, January 24, 2018
When it comes to anomalies, the sheer volume can be overwhelming. How do you separate the potentially malicious from the purely anomalous? One strategy is to use the adversary mindset as a framework for understanding what an adversary would do and why, and then examine how these anomalies line up with the framework of what a threat actor would do. This is the type of situation in which artificial intelligence and machine learning can be used effectively. So how can organizations apply this approach and use AI/ML to their advantage? Read on.
When appropriately tooled (or engineered) to detect anomalies, enterprises often discover a high volume of them. There can be literally thousands of them generating alerts daily or weekly. These anomalies may be relevant for security, IT or policy reasons—or a combination thereof. At a high level, the problem is that some degree of analysis is required to determine the importance of each anomaly and what follow-on steps are appropriate.
The problem then is that much of the security analyst’s time is spent chasing down what often end up as IT or policy issues, not security ones. These security false positives take up valuable analytical time that could be used in more high-value projects and may give the actual security events more time to wreak havoc without detection. Thus, the network becomes even less secure.
How do you address this overwhelming number of anomalies in a more nuanced way? It’s important to understand what they are within the context of your network and which ones are actually malicious. Adopting an adversary mindset is key.
In terms of security, to extract value out of your anomaly detection solution, you need to think about the ways your adversaries would gain access to your network:
Use this framework to understand the anomalies you are seeing.
Where does AI fit it? One of the core challenges here is how to find the anomalies in the first place. There are a couple of different ways to tackle this, and AI comes into play in both a tactical and strategic way.
At the tactical level, AI can be used to get a deep contextual understanding of the network and detect anomalies based on known and previously seen modes of behavior between hosts and between users, within the network.
With that, AI can help security professionals understand what “network normal” looks like. It’s critical that the network’s model of normal is constantly updated. Networks are incredibly dynamic and can change daily and hourly, at the minimum. This dynamic nature means you must have a way to continually update your understanding of what the network normally looks like to have a rolling baseline that is accurate. AI provides a way to address this problem.
Though it’s important to consider how an adversary thinks and acts, putting these insights into practice can be extremely difficult given the volume of data coming out of a large enterprise network. In this machine-scale era, you are likely to be dealing with a scale of data that is far beyond what a human can really comprehend and link together.
Not all of this data is available in the same location, either. To effectively detect anomalies, you need the ability to access data from a variety of what likely are siloed data sources. AI really starts to lend its value here. Applied appropriately, AI can be used to link these previously siloed data sources together in a way that humans just cannot do by eyeing it.
Today’s network security systems can become victims of their own success, so good at spotting anything out of the ordinary that IT security teams are deluged with more alerts than they can possible wade through. This creates alert fatigue rather than stronger security. Artificial intelligence is able to apply an understanding of how adversaries think and what methods they use to the anomaly landscape. This allows it to weed out the majority of harmless anomalies to focus on those that pose an actual threat to the network.
Jason brings nearly 15 years of experience working in the U.S. intelligence community as an expert in technical and offensive cyber operations. He was responsible for the design and execution of advanced technical operations all over the world. He has extensive experience against hard targets and has interacted with the most senior levels of the U.S. government.