Partner Article

Securing the future: Using predictive analytics to seek out hidden threats

The only thing that you can be certain of in life is that nothing is certain. For thousands of years the human race has failed to accept this by trying to prove otherwise. People have attempted to predict the future with tarot cards, tea leaves and by staring into crystal balls. It’s highly unlikely that we’ll ever be able to see exactly what lies ahead, but thanks to significant technological advances what we can do is use knowledge of the past and the present to drive a desired future outcome. In the field of IT security, today’s threat landscape is not the same one we faced when the first PCs were introduced, but new technology spells an exciting opportunity for the security world to strengthen defences. And this is vital in a world where cyber-attacks are becoming increasingly sophisticated and targeted.

It is no longer a case of if a network will be attacked, but when. The security industry used to be able to build a specific response to a specific cyber-security threat. Now, however, attackers make it their job to stay one step ahead and find new ways to avoid detection. Enemies are proactively working to understand what type of security solutions are being deployed and shifting to less visible, less content-detectable patterns of behavior so their threats are well concealed. Now, there is less “low-hanging fruit” for security solutions and professionals to detect; instead, there is more cipher traffic, more scrambling, and more randomisation by malicious actors to make command-and-control behaviors indistinguishable from real traffic.

The lack of visibility organisations have into today’s “noisy” networks means persistent threats have plenty of places to hide. Fortunately, however, predictive analytics is an emerging detection capability that can help security professionals to seek out any trespassers. Predictive analytics doesn’t necessarily mean seeing an attack before it happens but, rather, helping security professionals find unknown malware wherever it may be hiding. Because predictive technologies are in their early days, gaining a baseline understanding of the foundations upon which they are being developed is a good first step when exploring this new area. The following key questions can help:

• How is the knowledge derived? An approach that is grounded in knowing what “normal” business activity looks like can spot unusual behavior on a network—the symptoms of an infection—through behavioral analysis and anomaly detection. Through the use of predictive analytics, organisations can assess the behavior of entities (host servers and users) in their network. A model, derived from many smaller models and a concise representation of past behavior, is created and used to predict how entities should behave in the future. Ideally, data is correlated in the cloud to enhance the speed, agility, and depth of threat detection. If there is a discrepancy in expected behavior that is significant or sustained, it is flagged for investigation. Modeling and predicting legitimate activity, as opposed to trying to anticipate how malware will behave in the future, is more effective in the long term for protecting against new threats.
• How is the knowledge presented? One challenge with predictive analytics is that the algorithms are complex and provide raw data that require a trained eye to interpret. For predictive analytics to be practical and usable, security professionals should look for solutions that automatically present and explain findings and recommend next steps in an easy-to-understand format. These insights give existing security teams the confidence they need to act upon the analysis and improve controls, protection, and remediation, without the need for highly trained experts. In this era when the security industry is plagued by a shortage of skilled security professionals, tools that are automated and accessible are essential.
• How is the knowledge used? Predictive analytics, when integrated with existing security techniques, can help to make defences more accurate as well as more capable of detecting unknown or unusual behavior on the network. It involves advanced decision-making algorithms that analyse multiple parameters and take in live traffic data; machine learning capabilities allow the system to learn and adapt based on what it sees. Machine learning systems look for where dangers might be and for evidence of an incident that has taken place, is under way, or might be imminent. And although they do not necessarily handle security or policy enforcement, they can provide continuous intelligence to other systems, like content-based security solutions, perimeter management solutions, and policy management solutions, to find unexpected threats leading to the prioritisation of controls, protection, and remediation. Policies and controls change in anticipation of a potential threat, reducing effort and improving efficiency.

In order to combat threats and determine a brighter future, we need technologies that have the visibility and intelligence to keep up with dynamically changing environments. Security professionals should begin to prepare for the emerging area of predictive analytics. By understanding the underpinnings of predictive technologies, we can make more informed decisions that will result in tools that can truly help increase resilience of our security solutions, scale controls over time, and create a more secure future.

This was posted in Bdaily's Members' News section by Sean Newman, Security Evangelist, at Sourcefire, now part of Cisco .