Machine learning combined with behavioral analytics can make big impact on security
Integrating systems leads to better and earlier threat detection and response
By Larry Lunetta, Special to ThirdCertainty
Recent industry reports state that the median time from the initial intrusion of an advanced attack, to its eventual discovery, is roughly 146 days. This means attackers have free rein in breached environments for far too long.
Traditional Security Information and Event Management (SIEM) solutions that use signature and rule-based detection struggle to keep up with the latest threats.
SIEM is a rule-based system, which means it only finds attacks that are well understood. By definition, attacks that reach the inside of the organization and stay hidden for extended periods have been specifically designed to stay “under the radar.”
For example, a SIEM rule to detect an attempted brute force password hack will look for “5 failed logins in one minute.” Smart attackers know these traps and will make their guesses over much longer periods of time. They can afford to be patient.
However, integrating SIEM with a behavior analytics solution that features machine learning analytics can lead to detection of even the most patient intruders. SIEM is able to effectively leverage the storage and compute scale of big data to automatically find deviations in IT activity.
Put in context over time, this approach can detect risky behaviors and gestating attacks that have evaded real-time defenses.
More specifically, by supplementing SIEM with unsupervised, supervised and adaptive machine learning techniques, organizations are able to aggregate and analyze large volumes of security-related data.
This can result in the delivery of the forensic information required to rapidly detect and respond to the latest threats.
Given the acute shortage of skilled security professionals, many organizations can’t keep up with the influx of security data or the subsequent alerts that contribute to the white noise problem.
SIEM combined with machine learning technologies can enable organizations to aggregate and interpret deliberately “weak” signals that may be individually insignificant, providing context to see attacks before they do damage and facilitate incident investigation and response.
Many organizations rely on SIEM to manage enterprise risk, but in order to preserve and enhance their investments, many enterprises are augmenting SIEM with machine learning to improve their defense while maintaining the training and workflow that a modern Security Operations Center relies on.
More stories related to security:
Machine learning keeps malware from getting in through security cracks
Machine learning helps detect real-time network threats
Machine learning helps organizations strengthen security, identify inside threats