Machine learning combined with behavioral analytics can make big impact on security

Integrating systems leads to better and earlier threat detection and response

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Recent indus­try reports state that the medi­an time from the ini­tial intru­sion of an advanced attack, to its even­tu­al dis­cov­ery, is rough­ly 146 days. This means attack­ers have free rein in breached envi­ron­ments for far too long.

Ed note_Niara_Larry LunettaTra­di­tion­al Secu­ri­ty Infor­ma­tion and Event Man­age­ment (SIEM) solu­tions that use sig­na­ture and rule-based detec­tion strug­gle to keep up with the lat­est threats.

SIEM is a rule-based sys­tem, which means it only finds attacks that are well under­stood. By def­i­n­i­tion, attacks that reach the inside of the orga­ni­za­tion and stay hid­den for extend­ed peri­ods have been specif­i­cal­ly designed to stay “under the radar.”

For exam­ple, a SIEM rule to detect an attempt­ed brute force pass­word hack will look for “5 failed logins in one minute.” Smart attack­ers know these traps and will make their guess­es over much longer peri­ods of time. They can afford to be patient.

Relat­ed: Bet­ter use of threat intel­li­gence holds promise

How­ev­er, inte­grat­ing SIEM with a behav­ior ana­lyt­ics solu­tion that fea­tures machine learn­ing ana­lyt­ics can lead to detec­tion of even the most patient intrud­ers. SIEM is able to effec­tive­ly lever­age the stor­age and com­pute scale of big data to auto­mat­i­cal­ly find devi­a­tions in IT activity.

Put in con­text over time, this approach can detect risky behav­iors and ges­tat­ing attacks that have evad­ed real-time defenses.

More specif­i­cal­ly, by sup­ple­ment­ing SIEM with unsu­per­vised, super­vised and adap­tive machine learn­ing tech­niques, orga­ni­za­tions are able to aggre­gate and ana­lyze large vol­umes of secu­ri­ty-relat­ed data.

This can result in the deliv­ery of the foren­sic infor­ma­tion required to rapid­ly detect and respond to the lat­est threats.

Giv­en the acute short­age of skilled secu­ri­ty pro­fes­sion­als, many orga­ni­za­tions can’t keep up with the influx of secu­ri­ty data or the sub­se­quent alerts that con­tribute to the white noise problem.

SIEM com­bined with machine learn­ing tech­nolo­gies can enable orga­ni­za­tions to aggre­gate and inter­pret delib­er­ate­ly “weak” sig­nals that may be indi­vid­u­al­ly insignif­i­cant, pro­vid­ing con­text to see attacks before they do dam­age and facil­i­tate inci­dent inves­ti­ga­tion and response.

Many orga­ni­za­tions rely on SIEM to man­age enter­prise risk, but in order to pre­serve and enhance their invest­ments, many enter­pris­es are aug­ment­ing SIEM with machine learn­ing to improve their defense while main­tain­ing the train­ing and work­flow that a mod­ern Secu­ri­ty Oper­a­tions Cen­ter relies on.

More sto­ries relat­ed to security:
Machine learn­ing keeps mal­ware from get­ting in through secu­ri­ty cracks
Machine learn­ing helps detect real-time net­work threats
Machine learn­ing helps orga­ni­za­tions strength­en secu­ri­ty, iden­ti­fy inside threats