Machine learning helps detect real-time network threats

Platform software does heavy lifting and sifting of data for humans

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

No mat­ter how robust a company’s cyber defens­es, the bad guys seem to find a way to get in. And when—not if—they do, it could take weeks, even months, to detect them and to assess the damage.

Ed note_Vectra NetworksBuild­ing off the premise that spend­ing a lot of mon­ey “try­ing to pre­vent the bad guys from get­ting in” is an imper­fect approach, Vec­tra Net­works wants to help cyber­se­cu­ri­ty teams track down and stop attack­ers once they’re inside the net­work, not before they get there.

The core prob­lem is that all the sen­sors the com­pa­ny has invest­ed in—firewalls, sand­box­es, AV—act as a good fil­ter, but they don’t stop every­thing from get­ting in,” says Vectra’s chief tech­nol­o­gy offi­cer, Oliv­er Tavakoli. “We’re sin­gle-mind­ed­ly focused on find­ing that intrud­er inside your net­work before the FBI calls you and tells you about it.”

Using machine learning—and some of the same tech­niques used to sequence DNA and improve search engines—the San Jose, Cal­i­for­nia, com­pa­ny has devel­oped a plat­form that looks at pat­terns to detect anom­alies and trig­ger a mit­i­ga­tion response.

Vec­tra isn’t advo­cat­ing for­go­ing the tra­di­tion­al fil­ters like fire­walls and rep­u­ta­tion lists—it’s still impor­tant to prac­tice good cyber hygiene, Tavakoli says. But that’s no longer enough.

Pre­sum­ing the fil­ters are 100 per­cent per­fect is a recipe for the kind of breach­es we see in the news,” he says.

So Vectra’s prod­uct, plat­form soft­ware called X-series, picks up where those tra­di­tion­al secu­ri­ty tools stop and pro­vides real-time detec­tion of an attack that’s in process. Instead of sig­na­ture- and rep­u­ta­tion-based meth­ods, Vec­tra uses machine learn­ing, data sci­ence and behav­ior analysis—an approach that’s much more effec­tive in stop­ping the types of high-pro­file breach­es that have dom­i­nat­ed head­lines of late.

Relat­ed sto­ry: Machine learn­ing helps orga­ni­za­tions strength­en secu­ri­ty, iden­ti­fy inside threats

The plat­form, which was launched in 2014, is typ­i­cal­ly deployed with an on-premis­es appli­ance that sits with­in the data cen­ter and mon­i­tors pack­et traf­fic. Cus­tomers also can opt for a vir­tu­al appli­ance, using anoth­er prod­uct, S-series sen­sors. The ser­vice is sub­scrip­tion-based, based on the amount of traf­fic that’s being processed.

Günter Ollmann, Vectra Networks chief security officer
Gün­ter Oll­mann, Vec­tra Net­works chief secu­ri­ty officer

Vectra’s chief secu­ri­ty offi­cer Gün­ter Oll­mann says tra­di­tion­al tools in the past relied on black­lists, two-dimen­sion­al sig­na­tures and behav­ioral ana­lyt­ics, which are all dri­ven by human deci­sions. But the threats devel­op so fast that those tech­niques don’t keep up with the bad guys.

Machine learn­ing is doing a much bet­ter job of … cre­at­ing mul­ti­di­men­sion­al sig­na­tures for detect­ing what’s going bad,” he says.

Machine learn­ing works in two ways: super­vised and unsu­per­vised. With super­vised learn­ing, humans tell the machines which behav­iors are good and which are bad, and the machines fig­ure out the com­mon­al­i­ties to devel­op mul­ti­di­men­sion­al signatures.

In the past, Tavakoli explains, humans had to look at large sets of data to try to dis­tin­guish the good char­ac­ter­is­tics from the bad ones. With machine learn­ing, it’s essen­tial­ly about train­ing the com­put­er to find those dif­fer­ences, but much faster.

Super­vised machine learn­ing involves the machine doing 95 per­cent of the work and the data sci­en­tists doing the 5 per­cent,” he says.

With unsu­per­vised learn­ing, the machines devel­op the algo­rithms with­out hav­ing the data labeled—so they ana­lyze the clus­ters to fig­ure out what’s nor­mal and what’s an anomaly.

Oliver Tavakoli, Vectra Networks chief technology officer
Oliv­er Tavakoli, Vec­tra Net­works chief tech­nol­o­gy officer

That’s a slow­er detec­tion, but it detects things that humans and those high-fideli­ty sig­na­tures would nev­er be able to see,” Tavakoli says.

Found­ed in 2012, Vec­tra set its sights on machine learn­ing when the con­cept was still nov­el. The com­pa­ny, which came out of stealth mode in March 2014, imme­di­ate­ly focused on a broad range of sec­tors. Now in what Tavakoli calls its “ado­les­cent stage,” Vec­tra has gone through sev­er­al phas­es of funding—for a total of about $75 million—and has grown to 125 employ­ees as well as sales offices in Europe.

We believe the mar­ket is not lim­it­ed to a few ver­ti­cals because it’s a broad prob­lem,” he says.

That means for the next year or so, the company’s ener­gies are focused on gain­ing sales momen­tum and scal­ing all its process­es and oper­a­tional capac­i­ty as the orga­ni­za­tion matures.

The tim­ing seems for­tu­itous, now that machine learn­ing as well as automa­tion are becom­ing the new fron­tiers for cyber­se­cu­ri­ty. And that’s what’s giv­en the plat­form a broad appeal, accord­ing to Tavakoli—the abil­i­ty to do the heavy lift­ing for humans, espe­cial­ly as the indus­try is expe­ri­enc­ing a short­age of human resources.

You see a real renais­sance nowa­days when you hear about machine learn­ing in all types of mar­kets, and those tech­niques are being applied to a much broad­er set of prob­lems than they were his­tor­i­cal­ly,” Tavakoli says.

It’s the machine learn­ing that will ful­fill the promise that big data holds, he believes—yet not through com­plete auton­o­my, but rather as a lever­ag­ing point.

The whole world is swim­ming in a large amount of data being col­lect­ed from all sorts of things, and peo­ple are strug­gling to pull val­ue out of that data,” he says. “Machine learn­ing and data sci­ence are at the van­guard of unlock­ing the infor­ma­tion that’s hid­den inside the data—and cyber­se­cu­ri­ty is just one such application.”

More sto­ries relat­ed to data security :
JP Mor­gan Chase caper offers frank lessons about insid­er theft
Pre­dic­tive threat intel­li­gence roots out cyber threats before they occur
Biggest iden­ti­ty theft threat? Down­play­ing your risk

Posted in Cybersecurity, Data Security, Featured Story