There is lot of buzz around analytics in cyber security. Here is a quick guide on how it is being applied.
Let’s begin by defining a few terms; when talking about analytics, you may find terms like AI, machine learning and data sciences used interchangeably. These are 3 different concepts that can be defined as below:
- Artificial Intelligence – This is the broadest term, which is about how to make machines mimic humans or how to impart sensing, understanding and responding capabilities. Primarily, artificial intelligent machine will need two things to mimic humans: knowledge and action.
- Machine Learning – How do machines build knowledge? One approach is to codify rules that human experts know, like an expert system. But no finite set of rules can model our complex world. So, can we make machines learn from the past data and create their own knowledge? This is what machine learning does. It is a subset of AI, but the most important part of AI.
- Data Science - To make machine learning work, you need to define datasets, choose appropriate variables and metrics, and carry out various tasks of data engineering: data collection, preparation, integration, visualization, measuring algorithm performance, etc. Data science embodies all these.
For this post, when I use the term analytics, I mean a combination of data science practices with machine learning algorithms.
Application to Cyber Security
You can look at the use of analytics in cyber security from 3 different perspectives, based on the sources of data on which analytics is being applied, based on machine learning methods being used or based on intended end results to be achieved.
Based on Data Sources:
If you are more inclined towards logs, security events and data, you may find classifying analytics based on types of data sources more meaningful. In fact, the security industry currently describes analytics mostly from this perspective. See the diagram 1 below.
Based on Machine Learning Methods:
If you are inclined towards algorithms and mathematics, you may find classifying analytics based on types of algorithms more meaningful. See diagram 2 below that describes the main types of algorithms that can be used for security analytics.
Diagram 2 - Cyber Analytics Based on Models, Algorithms
We can illustrate with some use cases. Spam filtering and phishing detection uses Bayesian techniques for classifying good versus spam mails. Fraud detection uses neural networks and decision trees for deciding on frauds. Detecting insider threats like abnormal user access or data exfiltration uses clustering techniques. Bots can be detected through entropy function use for detecting machine to machine communication patterns. Association analysis can reveal attacker groups that are using similar attack methods in your network.
There is another way to categorize the machine learning models above, which is supervised learning (where machine learns from past data that humans have already labeled as good or bad, attack or false positive, fraud or normal data), unsupervised learning (where no past labeled data exist) or reinforcement learning (where machine learns from feedback from its longer-term results). Supervised learning will include classification, regression and deep learning. Unsupervised learning includes clustering, association rules and pattern matching. Diagram 2 will now become diagram 3 below.
Diagram 3 - Cyber Analytics Based on Learning
If you are thinking why do we have so many algorithms (the above list is only a partial list) and why can’t there be just one machine learning method that can be used everywhere, you are ahead of your time. Currently, there is no one algorithm that works for every problem. Based on type of data you have and the end objective of the analytics, you will need to try out multiple algorithms and choose the best fit (this is called the ‘no free lunch’ theorem in machine learning).
Based on End Objective of Analytics:
If you are focused on business results, you may find classifying analytics based on end objectives more meaningful. See diagram 4 below.
Diagram 4 - Cyber Analytics Based on end Objective
Many of the current hunting tools and analytics products like EDR and network forensics are good examples of diagnostic and detective analytics. IBM Watson is an example of prescriptive analytics because it pulls together related information from global sources to guide an analyst when handling an incident. User and entity behavior tools can provide predictive analytics based on past risk behaviors.
What Should You Use from the Above?
The adage – there is no silver bullet for security – is also true for security analytics. No single analytics can solve the security challenges. For example, if you take top 9 attack methods today, no single security analytics can detect them. The table below shows the relevance of each security analytics to top threats (here we are defining analytics by source of data, we could have defined it by types of algorithm or types of end objectives).
|THREAT ANALYTICS||NETWORK||USER BEHAVIOR||ENDPOINT||APPLICATION|
|Run-time App Exploits|
Diagram 5 – Security Analytics to Detect the Top 9 Attack Methods
Given that your organization will always face blended threats (some combination of these 9 threats), you need a multi-analytics approach for cyber security.
Paladion’s Managed Detection and Response (MDR) service delivers AI driven managed security. It provides threat anticipation, hunting, monitoring, incident analysis and incident management integrated into one service, as shown below-
Diagram 6 - Paladion MDR Services
To deliver MDR services, we combine multi-dimensional analytics in our AI.saac platform. The platform takes in data from endpoints, network, user access and applications. These data are analyzed through the machine learning algorithm layer to generate different outputs. The Paladion MDR services team consumes the outputs of the analytics to deliver services around anticipation, hunting, reporting, incident analysis and incident remediation.
Diagram 7 - Paladion's MDR AI.saac Platform
Today’s cyber threats are too numerous and arrive too fast for purely manual defense. Artificial intelligence provides power and speed to tackle huge volumes of attacks with countless variations. Yet the real key to leveraging AI for cyber protection is to use it with human intelligence, combining power, speed, skills and judgment. In doing this, Paladion’s Managed Detection and Response service brings you the most effective answer available anywhere to today’s cyber threats, hacks, and attacks.
Rajat Mohanty is the Co-founder, Chairman of the Board of Directors and Chief Executive Officer of Paladion Networks. He has been Paladion’s Chairman & CEO since the inception of the Company in July 2000