By Sean Newman, Security Strategist, Cisco
The only thing that you can be certain of in life is, that nothing is certain. For thousands of years the human race has tried to prove otherwise. People have attempted to predict the future with tarot cards, tealeaves and by staring into crystal balls. It’s highly unlikely that we’ll ever be able to see exactly what lies ahead, but thanks to significant technological advances, what we can do is use knowledge of the past and the present to drive a desired future outcome. In the field of IT security, today’s threat landscape is not the same one that we faced when the first PCs were introduced, but new technology creates an exciting opportunity for the security world to strengthen defences. And this is vital in a world where cyber-attacks are becoming increasingly sophisticated and targeted.
It is no longer a case of if a network will be attacked, but when. The security industry used to be able to build a specific response to a specific cyber-security threat. Now, however, attackers make it their job to stay one step ahead and find new ways to avoid detection. Enemies are proactively working to understand what type of security solutions are being deployed and shifting to less visible, less detectable, patterns of behaviour so their attacks are well concealed. Now, there is less “low-hanging fruit” for security solutions and professionals to detect; instead, there is more cipher traffic, more scrambling, and more randomisation by malicious actors to make command-and-control behaviours indistinguishable from real traffic.
The lack of visibility organisations have into today’s “noisy” networks means persistent threats have plenty of places to hide. Fortunately, however, predictive analytics is an emerging detection capability that can help security professionals to seek out any trespassers. Predictive analytics doesn’t necessarily mean seeing an attack before it happens but, rather, helping security professionals identify and track unknown malware, wherever it may be hiding. Because predictive technologies are in their infancy, gaining a baseline understanding of the foundations upon which they are being developed is a good first step, when exploring this new area. The following key questions can help:
1. How is the knowledge derived? An approach that is grounded in knowing what “normal” activity looks like can spot unusual behaviour on a network—the symptoms of an infection—through behavioural analysis and anomaly detection, combined with advanced security intelligence. Through the use of predictive analytics, organisations can assess the behaviour of entities (host servers and users) in their network. A model, derived from many smaller models and a concise representation of past behaviour, is created and used to predict how entities should behave in the future. Ideally, data is correlated in the cloud to enhance the speed, agility, and depth of threat detection. If there is a discrepancy in expected behaviour, that is significant or sustained, it is flagged for investigation. Modelling and predicting legitimate activity, as opposed to trying to anticipate how future malware will behave, is more effective in the long-term for protecting against new threats.
2. How is the knowledge presented? One challenge with predictive analytics is that the algorithms are complex and provide raw data that requires a trained eye to interpret. For predictive analytics to be practical and usable, security professionals should look for solutions that automatically present and explain findings and recommend next steps in an easy-to-understand format. These insights give existing security teams the confidence they need to act upon the analysis and improve controls, protection, and remediation, without the need for highly trained experts. In this era, when the security industry is plagued by a shortage of skilled security professionals, tools that are automated and accessible are essential.
3. How is the knowledge used? Predictive analytics, when integrated with existing security techniques, can help to make defences more accurate as well as more capable of detecting unknown or unusual behaviour on the network. It involves advanced decision-making algorithms that analyse multiple parameters from live traffic data; machine learning capabilities allow the system to learn and adapt based on what it sees. Machine learning systems look for where dangers might be and for evidence of an incident that has taken place, is under way, or might be imminent. And, although they do not necessarily handle security or policy enforcement, they can provide continuous intelligence to other systems, like content-based security solutions, perimeter management solutions, and policy management solutions, to find unexpected threats leading to the prioritisation of controls, protection, and remediation. Policies and controls can then be changed, in anticipation of a potential threat, reducing effort and improving efficiency.
In order to combat threats and create a brighter future, we need technologies that have the visibility and intelligence to keep up with dynamically changing environments. Security professionals should be prepared for the emerging area of predictive analytics. By understanding the underpinnings of predictive technologies, we can make more informed decisions that will result in tools that can truly help increase resilience of our security solutions, scale controls over time, and create a more secure future.