The Signal in the Noise: How Security Teams Can Capture Actionable Threat Insights

With the barrage of information coming into a system, separating the noise from the genuine threats can be a difficult process. This is where AI can come in, to help you separate the real risks to your business from normal network noise.

Capture Actionable Threat, security

Companies’ Networks Are Overrun with Anomalies

Any given company’s network has become what is essentially an amorphous “blob of stupid.” That’s because people do things with their computers that are at best ill-advised and at worst outright dangerous. For the most part, they do these things in ignorance. They click on interesting links that lead to malicious sites or download malware into the system. They store sensitive information in unsecure places. Despite all the data breach headlines, an assumption continues to persist that if you are able to do something on your computer, it must be okay.

These activities turn the network into the blob of stupid that then generates thousands of anomalies, which set off alerts on a daily basis. Security teams have to wade through all these alerts without the ability to tell the difference between what’s malicious and what’s not.

Obviously, this is not an efficient way to operate. It’s essential to your network’s security to be able to distinguish between the malicious and the non-malicious anomalies. AI and machine learning (ML) can be used to help teams identify which anomalies they need to be concerned about and which are benign.

 

Is AI the Answer?

However, the solution isn’t as simple as just throwing AI/ML at those anomalies. A smart framework is needed to focus on which anomalies or discrepancies matter most to your organization. Some providers recommend that your team focus on seven to 10 criteria for anomaly analysis and leave it at that.

That’s a good start, but it’s not enough. Anomalies need to be looked at collectively to detect trends and corroborated behaviors. This goes a step further than focusing on those seven to 10 criteria. In fact, to implement true anomaly detection, it takes an adversary mindset.

So, how do you approach network security from an adversary mindset? Many solutions and security professionals are focused on figuring out which criteria are the most important in terms of anomaly detection. An adversary approach requires more holistic thinking: In what sequence and across what hosts do these anomalies fit together in such a way to resemble what an adversary might actually be doing inside of a network?

Adversaries have an ever-expanding repertoire of ways to get inside your network, but once inside, their campaigns must contain three elemental behaviors:

  • Reconnaissance: Exploring your network to understand its structure and to locate valuable data.
  • Collection: Moving within the network to obtain additional network access credentials, then gathering and moving valuable data in preparation for removal.
  • Exfiltration: Covert transfer of data from the network to external destinations.

When anomalies are checked against these behaviors, the true security picture emerges.

 

The Right Framework for AI in Security

Many people accept as fact the claims that you can apply AI and ML to determine which security alerts are the most important. However, the hype has not always met with reality, casting aspersions on AI and ML. And some assume that implementing AI and ML eliminates the need for a human in the loop, which is inaccurate. AI accelerates the skill of humans who use AI tools, but they cannot take the place of seasoned human professionals – nor were they intended to.

So then, AI and ML are not “set it and forget it” tools when it comes to network security. But with an adversary focused-framework, security pros can ensure that what they’re actually looking for when it comes to analyzing anomalies is those that are truly malicious rather than those that are merely more or less important.

 

A Better Security Future

As long as there are people using computers, there will be confusion in the network, which compounds and sometimes creates security challenges. IT security teams are now suffering from “alert fatigue” as thousands of possible security events flood their senses on a daily basis. But organizations can use AI and ML to help them think like an adversary and pinpoint the behaviors that tip them off to actual malicious behavior that needs attention. This separates the signal from the noise, making team members’ lives easier and the network more secure.

Capture Actionable Threat, security

Related Training

 

Kichen, Jason (2018). The Signal in the Noise: How Security Teams Can Capture Actionable Threat Insights. Recovered on 19 December 2018 from https://www.securitymagazine.com/articles/89666-the-signal-in-the-noise-how-security-teams-can-capture-actionable-threat-insights