As attack methodologies advance, the detection of tools is essential for security professionals to manage extensive networks of devices that are not necessarily reliable.
In recent years, security measures have increased significantly and malicious actors have advanced their techniques to keep pace, especially with advances in attack methods such as fileless malware. The security model of’ serverless’ computer platforms such as AWS Lambda is also totally different from traditional computers. The traditional model of checking file hashes against known malware samples does not effectively secure these itinerant computing concepts.
In order to protect business systems against cyberattacks, a robust, modern defense requires an adaptive monitoring solution that uses machine learning to identify anomalous patterns that indicate an attack in its infancy.
Much of the basis for this has been laid in recent years, with system events analyzed by endpoint detection services.
“The network connection has been opened, the registry key has been modified, the process has been created… The challenge is to map known malicious behaviors that essentially do the same,” Josh Zelonis, senior security and risk analyst for Forrester, said.
To build this, you need two people in the room: A data scientist who understands the map and can build these models … [and] an expert in offensive techniques to help them build the model and understand the abstraction of what they do, so that they can statistically identify when an opponent does something similar.
The accurate connection of aggregations of system events with anomalous activities is only one step on the security staircase-determining the difference between legitimate workflow changes and malicious activity is a higher-level task for machine learning or artificial intelligence. Various vendors offer a variety of security information and event management (SIEM) approaches that leverage ML / AI.
ExtraHop’s Reveal (x) platform provides network traffic analysts for business networks, provides insight into connections and identifies potential threats using rules and behavior-based analytics coupled with logical device groups. The platform also applauds “full context and one-click research workflows for each detection.”
Vectra Cognito is an AI-powered security platform that uses an analysis of known malware payloads and techniques to detect future or unknown threats to machine learning models. It also analyzes user behavior and local networks or customer-specific attributes in order to gain a basic understanding of normal compared to which anomalous behavior can be identified.
The 1U rack-mountable network security devices from CoreLight Corelight are designed to produce comprehensive and operable logs based on a variety of factors. The CoreLight platform can be used to track DNS queries and responses, as well as potentially problematic environmental factors, such as out – of-date or vulnerable software, abnormal environment keyboard settings, self-signed, expired or expired SSL certificates, as well as detecting which network systems have accessed a malicious file.
DataVisor are aimed more at transactional security than network security, with products aimed at moderating and filtering content, transaction fraud (including promotional abuse and loyalty fraud), account opening and monitoring, and the detection and prevention of money laundering.
The company applauds its ability to provide detailed information on why patterns are marked as anomalous, citing a tendency to treat competitive AI / ML models as “black boxes.”
For all the advances that AI / ML promises to improve cybersecurity
It is not a replacement for the traditional basis for establishing basic security hygiene in a given organization. “What people need to worry about when they deploy is how control systems are used or accessed… this is the gateway to all other devices. If someone checks their email on [an industrial control system, you’ll have a bad time,” Zelonis said. “There is really no technological solution for in-depth social engineering.”
According to Eric Ogren, senior analyst for information security at 451 Research, SIEM is likely to integrate user data in the future. “the first step is who accesses[ a device]? And do they access normal hours with normal protocols? Do they have permissions? Are they authorized? I’m beginning to see many of the same vendors for access control integrated with identity information.”