Why What You Don’t Know, May Hurt You

Thursday, August 28, 2014

Stephen Dodson


Managing security in today’s enterprise is far different than it was ten to fifteen years ago. In the past, companies were able to set up proxy agents, firewalls and strong virus protection software and feel pretty secure that their company’s information was safe. 

However, in today’s world, things have changed. We are no longer dealing with teenage hackers or disgruntled young adults with a political or social ax to grind. The real threat to your security comes from advanced cybercriminal organizations. They are well versed in your typical defenses and spend all their time figuring out ways to bypass them. These are professionals with the skills, knowledge, talent, creativity and motivation to succeed.

If you consider your organization to be a likely target, then it’s a safe bet that your defenses have already been infiltrated – and that it’s only a matter of time until the real theft begins. This means your organization needs to immediately focus on detecting nefarious activities inside of your perimeter.

Recognize That The Bad Guys Have The Advantage  

The traditional method of security relies on attacks being filtered as intruders repeat previously used methods of infiltration. Anyone in the security industry knows that this is simply not how it works – while signatures and rules designed to block known malware and exploits produce thousands of notifications a day, the advanced criminal is slipping through undetected with new (or variants of old) attack tools.

Imagine how safe you would feel traveling if our only defense against terrorists was the TSA. Terrorists try to blow up a plane with liquid explosives and the TSA now knows to pay close attention to liquids. Terrorists then try to use shoe bombs and we now have to take off our shoes to go through security. In this sort of “last-known threat”-based security paradigm, the bad guy has the advantage of creating the new or unknown threat profile.

This is why the usual approach to IT security needs to change.  

Change Approaches

Attackers try hard to mask their activities and fly below the radar of your security paradigm – but try as they might, in order to accomplish their goals, their behaviors are going to have to be anomalous at some point in time. An authorized login is going to be attempted from a new IP address. A server is going to run a different process than usual. An unusual pattern of data transmissions will occur to a new external URL.   

The key to mitigating this threat is to be able to identify these ‘fingerprints’ amidst the billions of records produced by the combination of your security tools, web, server and network resources.   

Some will argue that given enough time, an expert security analyst will be able to uncover this evidence with traditional tools and manual methods. While there may be some validity to that point, in the fight against cybercrime, time is not on your side – and we are talking about a huge commitment of resources that would be required.   

The good news is that this is a technology problem that has already been solved in the “big data world.” Advanced, machine learning-based analytics can easily process and cross-correlate this data in real-time. However, the approach cannot solely be based on identifying ‘known’ threats. It needs to be based on advanced statistics to detect outlier behaviors - in other words, anomaly detection.  

So what can these analytics uncover? Some examples include:  

• The Early Signs Of Data Theft: Billions of network traffic records can be analyzed that detail the source, destination, size and content of messages outbound from your organization. Advanced analytics can determine if any of this traffic is unusual in terms of who is sending it, where it is going or how it is being transmitted.  

• Rare Or New Processes: Machine learning can be used to automatically determine the “normal” set of processes connecting to the network on each of tens of thousands of servers and immediately notify you when that changes. Attempting this approach with human defined rules or signatures would simply require more employee hours than you could possibly dedicate.   

• Population/Peer Outliers: “Bad guys” are “bad” because they do things that are different than the “good” guys do. Anomaly detection bubbles up internal or external users that are clearly operating in one or multiple ways outside the norm of their peers. 

Detecting these and other anomalies will help you find unexpected and unexplained behaviors typically connected with an intrusion.   


We’ve established that analysis of your company’s big data is the key to finding these anomalies.   

The problem is the employee hours and brainpower needed to successfully analyze everything in enough time to act. Machine learning technology can find the anomalies and unusual actors among the tremendous volumes of streaming security and operations data – and do so while actually freeing up time spent by your existing analyst teams.   

It is simply impossible to anticipate a cybercriminal’s every move and safeguard your organization with “known” threat approaches. The beauty of machine learning is that you don’t have to – you set the system up and the machine learning technology constantly evolves to make sure only true anomalies are being discovered.   

With machine learning-based analysis and anomaly detection technology digging into your big data, larger amounts of information can be reviewed and analyzed – leading to near real-time analysis and the detection of potential security issues that would be unknown otherwise.  


Modern security will be reliant on getting the most out of your company’s big data – there are no two ways about it – especially if you have the type of data and information wanted by cybercriminals. The only way to review your data with the speed and efficiency that will make results actionable is with the use of machine learning.  

Stephen Dodson is chief technical officer of Prelert.

Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.