FEATURE: THREAT ANALYSIS //////////////////////////////////////////////////////////////////////////
more sophisticated analysis and more
exposure to real-world experience provided
by the customer. Multiple techniques
used together can refine assessments in multiple dimensions. One example of
this would be the L2-7 stack, transactions
and sessions over time for that stack and
protocols involved over time. This depth of
MORE OF THIS TRAFFIC IS USING
ADVANCED ENCRYPTION BASED
ON PERFECT FORWARD SECRECY
(PFS) RATHER THAN PUBLIC KEY
ENCRYPTION (PKE).
Challenge your threat
analytics vendor
Data quality and analytics quality are
fundamentally linked. Variations in the
depth, breadth and completeness of the
data will affect the accuracy of the analytics.
Noisy data, especially log and machine data,
requires manual scrubbing.
Once equipped with high-fidelity data, a
range of machine learning techniques and
data science approaches will determine
the accuracy and volume of the alerts
generated. AI also facilitates automated
triage, correlation, investigation and
eventually, incident response. Ultimately,
to minimise false positives. Tuning each
technique helps as well.
For example, behavioural anomaly detection
compares observed behaviour to expected
behaviour, usually through unsupervised
learning. Anomaly detection can be
performed against many different data
variables (users, applications, protocols or
traffic volume), as well as patterns of data
(number of login attempts, number of
different systems accessed within a specific
timeframe, range of IP addresses and
devices contacted).
Two additional data science techniques can
improve results: data dimensionality reduction
and outlier detection. Dimensionality
reduction identifies which variables convey
meaningful differentiation mathematically
and which don’t. In car terms, given the
task of identifying cars vs motorcycles, an
AI solution that has access to data on the
number of wheels will have a much easier
time than one with access to just the colour of
the vehicle. By identifying and analysing the
data with the most meaning, the analytics
deliver increased accuracy in less time with
fewer compute resources.
Similarly, outlier detection says: the farther
away from normal a meaningful event is,
the more unusual and potentially risky it is.
This technique helps security tools ‘score
up’ events and increase confidence in the
detection accuracy.
One reason AI systems are ideal for outlier
detection is that they can consider variations
62
INTELLIGENTCIO
network traffic, breadth of network protocol
and duration of time spreads the data set
widely. Computers are best suited to identify
meaningful spatial variations against
‘normal’ for these multivariate relationships.
Of course, outliers may be caused by human
error, data sampling, data manipulation and
data degradation. Outlier detection may
increase false positives unless it is coupled
with contextual data, anomaly detection and
dimensionality reduction. So no individual
technique is a panacea and experience will
differentiate AI veterans from novices.
effective use of AI will help you avoid
turnover and reduce risk.
These seven questions should be fair game
for any advanced analytics vendor. They
will show you have done your research and
encourage the vendor to treat you with
respect. For instance, if a vendor says, “Trust
me, it’s in the maths!” you probably want to
choose a different vendor.
Although AI is increasingly table stakes for
analytics, it isn’t a simple checklist item.
Demand answers, not alerts. n
www.intelligentcio.com