MAY. 7, 2018

Across industry, existing defensive capabilities that rely on static automated sensors and log analysis are unable to detect malicious activity distributed across multiple devices and networks. Network defenders are stretched, having to recognize threats that have already penetrated the network perimeter as well as those crossing organizational boundaries. The challenge is compounded by the rapid growth in enterprise networks and distributed computing. While most of today’s cyber defense protocols can identify potential problems, they cannot discriminate between false indicators and serious network breaches. As a result, surveillance fatigue sets in as network defenders are quickly overwhelmed by a deluge of alerts; many of which are false positives. Today’s lack of automated proactive detection and remediation capabilities saps resources where overtaxed internal cybersecurity teams investigate benign events while missing actual threats.

The next stage in the lifecycle of R9B is to augment human analysis and operations with artificial intelligence (AI), specifically machine learning and expert knowledge systems. Creating expert systems based on existing standard operating procedures and applying machine learning algorithms to the analysis of network infrastructure distinguishes between known good and potentially malicious activity, highlighting the latter at machine speed. Initially built on existing, proven, human-defined threat intelligence models, the high-speed analysis of large-scale, disparate data sets within a given network will enable the discovery of additional threat vectors that would have otherwise gone undetected.

Linking endpoint activity with network communications and existing security management systems reveals the entire threat landscape of an enterprise network. This holistic framework, built around the capabilities of the ORION HUNT platform and operations center, can quickly identify possible malicious activity – even across multiple networks – to include the detection and characterization of novel attack vectors. The integration of a mature, battle-tested AI engine will enable the triage of terabytes of data, recognizing and isolating activities and devices that require deeper human investigation, ultimately increasing the efficacy of the big data analysis engine.

The state of the art in network security-based data analysis uses a collection of system artifacts and network traffic capture as input to the analysis engine. Instead of a sweeping collection of system logs and network data, R9B and DarkLight will generate dynamic identification of targeted data arenas, minimizing the processing cycles applied to eliminate non-useful data, the analysis required, and the turnaround time for collection of additional data. This dynamic, targeted collection mechanism, integrated with existing “passive” collection and processing of system-provided information (e.g., raw packets, logs, crash dumps, endpoint metadata, NetFlow, etc.) will produce an intelligence-rich analysis superior to today’s simplistic anomaly detection.

This was originally posted on LinkedIn by Michael Morris.  Click here to view on his page.