Palm reading, tarot cards, crystal balls, tea leaves. For thousands of years humans have tried to predict the future with various methods and little success. Today, the desire to predict the future remains strong but increasingly difficult to satisfy; the pace of change has accelerated exponentially and the notion of predicting the future is even more tenuous the further out in time we go. But thanks to significant technological advances what we can do is use knowledge of the past and the present to drive a desired future outcome. That capability is extremely important for better security given today’s threat landscape and the vicious cycle defenders face.
It’s a scenario we’ve lived with since the first PCs were introduced: the security industry builds a specific response to a specific cybersecurity threat, and the attackers find a new way to avoid detection. Adversaries are proactively working to understand what type of security solutions are being deployed and shifting to less visible, less content-detectable patterns of behavior so their threats are well concealed. Now, there is less “low-hanging fruit” for security solutions and professionals to detect; instead, there is more cipher traffic, more scrambling, and more randomization by malicious actors to make command-and-control behaviors indistinguishable from real traffic.
The lack of visibility organizations have into today’s “noisy” networks means pervasive threats have plenty of hiding places. However, predictive analytics is an emerging detection capability to cut through the noise. Predictive analytics doesn’t necessarily mean seeing an attack before it happens but, rather, helping security professionals find unknown malware wherever it may be hiding. Because predictive technologies are in their early days, gaining a baseline understanding of the foundations upon which they are being developed is a good first step when exploring this new area. The following key questions can help:
1. How is the knowledge derived? An approach that is grounded in knowing what “normal” business activity looks like can spot unusual behavior on a network—the symptoms of an infection—through behavioral analysis and anomaly detection. Through the use of predictive analytics, organizations can assess the behavior of entities (host servers and users) in their network. A model, derived from many smaller models and a concise representation of past behavior, is created and used to predict how entities should behave in the future. Ideally, data is correlated in the cloud to enhance the speed, agility, and depth of threat detection. If there is a discrepancy in expected behavior that is significant or sustained, it is flagged for investigation. Modeling and predicting legitimate activity, as opposed to trying to anticipate how malware will behave in the future, is more effective in the long term for protecting against new threats.
2. How is the knowledge presented? One challenge with predictive analytics is that the algorithms are complex and provide raw data that require a trained eye to interpret. For predictive analytics to be practical and usable, security professionals should look for solutions that automatically present and explain findings and recommend next steps in an easy-to-understand format. With these insights existing security teams, without the need for highly trained experts, can have the confidence they need to act upon the analysis and improve controls, protection, and remediation. In this era when the security industry is plagued by a dearth of skilled security professionals, tools that are automated and accessible are essential.
3. How is the knowledge used? Predictive analytics, when integrated with existing security techniques, can help to make defenses more accurate as well as more capable of detecting unknown or unusual behavior on the network. It involves advanced decision-making algorithms that analyze multiple parameters and take in live traffic data; machine learning capabilities allow the system to learn and adapt based on what it sees. Machine learning systems look for where dangers might be and for evidence of an incident that has taken place, is under way, or might be imminent. And although they do not necessarily handle security or policy enforcement, they can provide continuous intelligence to other systems, like content-based security solutions, perimeter management solutions, and policy management solutions, to find unexpected threats leading to the prioritization of controls, protection, and remediation. Policies and controls change in anticipation of a potential threat, reducing effort and improving efficiency.
To break the threat cycle we need technologies that have the visibility and intelligence to keep up with dynamically changing environments. Security professionals should begin to prepare for the emerging area of predictive analytics. By understanding the underpinnings of predictive technologies, we can make more informed decisions that will result in tools that can truly help increase resilience of our security solutions, scale controls over time, and create a more secure future.
