5 Minute Guide to AI in Cyber Security

Rajat Mohanty
By Rajat Mohanty

November 27, 2017

There is lot of buzz around analytics in cyber security. Here is a quick guide on how it is being applied.

Let’s begin by defining a few terms; when talking about analytics, you may find terms like AI, machine learning and data sciences used interchangeably. These are 3 different concepts that can be defined as below:

  • Artificial Intelligence – This is the broadest term, which is about how to make machines mimic humans or how to impart sensing, understanding and responding capabilities. Primarily, artificial intelligent machine will need two things to mimic humans: knowledge and action.
  • Machine Learning – How do machines build knowledge? One approach is to codify rules that human experts know, like an expert system. But no finite set of rules can model our complex world. So, can we make machines learn from the past data and create their own knowledge? This is what machine learning does. It is a subset of AI, but the most important part of AI.
  • Data Science - To make machine learning work, you need to define datasets, choose appropriate variables and metrics, and carry out various tasks of data engineering: data collection, preparation, integration, visualization, measuring algorithm performance, etc. Data science embodies all these.

For this post, when I use the term analytics, I mean a combination of data science practices with machine learning algorithms.

Application to Cyber Security

You can look at the use of analytics in cyber security from 3 different perspectives, based on the sources of data on which analytics is being applied, based on machine learning methods being used or based on intended end results to be achieved.

Based on Data Sources:

If you are more inclined towards logs, security events and data, you may find classifying analytics based on types of data sources more meaningful. In fact, the security industry currently describes analytics mostly from this perspective. See the diagram 1 below.

Cyber-Analytics-Based-on-Data-Sources-Image

Based on Machine Learning Methods:

If you are inclined towards algorithms and mathematics, you may find classifying analytics based on types of algorithms more meaningful. See diagram 2 below that describes the main types of algorithms that can be used for security analytics.

Cyber-Analytics-Based-on-Models-Algorithms-V2

Diagram 2 - Cyber Analytics Based on Models, Algorithms

MDR DEMO

We can illustrate with some use cases. Spam filtering and phishing detection uses Bayesian techniques for classifying good versus spam mails. Fraud detection uses neural networks and decision trees for deciding on frauds. Detecting insider threats like abnormal user access or data exfiltration uses clustering techniques. Bots can be detected through entropy function use for detecting machine to machine communication patterns. Association analysis can reveal attacker groups that are using similar attack methods in your network.

There is another way to categorize the machine learning models above, which is supervised learning (where machine learns from past data that humans have already labeled as good or bad, attack or false positive, fraud or normal data), unsupervised learning (where no past labeled data exist) or reinforcement learning (where machine learns from feedback from its longer-term results). Supervised learning will include classification, regression and deep learning. Unsupervised learning includes clustering, association rules and pattern matching. Diagram 2 will now become diagram 3 below.

Cyber-Analytics-Based-on-Learning-V2

Diagram 3 - Cyber Analytics Based on Learning

If you are thinking why do we have so many algorithms (the above list is only a partial list) and why can’t there be just one machine learning method that can be used everywhere, you are ahead of your time. Currently, there is no one algorithm that works for every problem. Based on type of data you have and the end objective of the analytics, you will need to try out multiple algorithms and choose the best fit (this is called the ‘no free lunch’ theorem in machine learning).

Based on End Objective of Analytics:

If you are focused on business results, you may find classifying analytics based on end objectives more meaningful. See diagram 4 below.

Cyber-Analytics-Based-on-end-Objective-V2-1024x384.jpg

Diagram 4 - Cyber Analytics Based on end Objective

Many of the current hunting tools and analytics products like EDR and network forensics are good examples of diagnostic and detective analytics. IBM Watson is an example of prescriptive analytics because it pulls together related information from global sources to guide an analyst when handling an incident. User and entity behavior tools can provide predictive analytics based on past risk behaviors.

What Should You Use from the Above?

The adage – there is no silver bullet for security – is also true for security analytics. No single analytics can solve the security challenges. For example, if you take top 9 attack methods today, no single security analytics can detect them. The table below shows the relevance of each security analytics to top threats (here we are defining analytics by source of data, we could have defined it by types of algorithm or types of end objectives).

THREAT ANALYTICS NETWORK USER BEHAVIOR ENDPOINT APPLICATION
Advanced Malware right-mark.jpg no-mark.jpg right-mark.jpg No-mark.jpg
Social Engineering right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg
Lateral Movement right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg
Insider Threats right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg
Transaction Frauds right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg
Account Takeover right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg
Data Exfiltration right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg
Run-time App Exploits right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg
Encrypted Attacks right-mark.jpg right-mark.jpg right-mark.jpg right-mark.jpg

Diagram 5 – Security Analytics to Detect the Top 9 Attack Methods

New Call-to-action

Given that your organization will always face blended threats (some combination of these 9 threats), you need a multi-analytics approach for cyber security.

Paladion MDR

Paladion’s Managed Detection and Response (MDR) service delivers AI driven managed security. It provides threat anticipation, hunting, monitoring, incident analysis and incident management integrated into one service, as shown below-

Left-of-Hack-to-Right-Of-Hack-MDR

Diagram 6 - Paladion MDR Services

To deliver MDR services, we combine multi-dimensional analytics in our AI.saac platform. The platform takes in data from endpoints, network, user access and applications. These data are analyzed through the machine learning algorithm layer to generate different outputs. The Paladion MDR services team consumes the outputs of the analytics to deliver services around anticipation, hunting, reporting, incident analysis and incident remediation.

Paladions-MDR-Newton-Platform-Diagram

Diagram 7 - Paladion's MDR AI.saac Platform

Today’s cyber threats are too numerous and arrive too fast for purely manual defense. Artificial intelligence provides power and speed to tackle huge volumes of attacks with countless variations. Yet the real key to leveraging AI for cyber protection is to use it with human intelligence, combining power, speed, skills and judgment. In doing this, Paladion’s Managed Detection and Response service brings you the most effective answer available anywhere to today’s cyber threats, hacks, and attacks.

Now, Get the Most Out of Artificial and Human Intelligence for Your Cyber Security


Tags: blog

About

Rajat Mohanty

Rajat Mohanty is the Co-founder, Chairman of the Board of Directors and Chief Executive Officer of Paladion Networks. He has been Paladion’s Chairman & CEO since the inception of the Company in July 2000

SUBSCRIBE TO OUR BLOG

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download

Get AI Powered

Managed Detection and Response

REPORT

AI-Driven Managed Detection and Response

Download Report

EPISODE-25

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst