Breakthroughs in risk-based cyberattack detection

President Donald Trump's Cybersecurity Executive Order supports increased security of critical infrastructure, with a renewed focus on a risk-based approach to mitigating security threats. It provides the opportunity to reexamine what a risk-based approach to cyber security means and how current security technologies are being applied across government and private sectors.

One of the newer approaches involves security analytics, sometimes called user and entity behavior analytics. Here, machine learning and artificial intelligence can be used to detect, surface and connect threats. A risk-scoring model helps pinpoint and highlight threats by measuring and quantifying anomalous behaviors and connecting them with the sensitivity of the data or asset involved. The goal of these technologies is to compute a short, prioritized list of threats along with the users, machines, applications and files involved, rather than a flood of alerts and little understanding of context. Security analysts describe such risk-based approaches to threat detection as "finding the threats that matter." 

In addition to security analytics deployments in many different U.S. intelligence agencies, energy and utility companies are actively piloting and rolling out these newer technologies to enhance critical infrastructure protection. One rollout at a U.S. utility company with millions of customers across multiple states seeks to enhance protection of significant intellectual property in alternative energy creation and distribution, as well as customer data. The most critical part of the program is an upgraded insider threat program with specific focus on risky insider actions related to the company's vast power distribution infrastructure driven by changes in the North American Electric Reliability Corporation's critical security protection plan.

Most government agencies and commercial companies -- and this utility is no exception --- have a traditional perimeter-and-prevention security program built around security information and event management software. Effectiveness has degraded over time due to the growing amount of data that must be collected, as well as the increased sophistication of the attackers and limitations inherent with SIEM technology. The consequences are gaps in threat surface coverage, increasing false positives and security analyst overload.

With an understanding those limitations and a massive growth in data collection underway, the utility company had moved to a more cost-effective Hadoop-based "data lake" storage strategy. Big data adoption across utility companies is common because analyzing massive amounts of data helps to better predict energy demand and increase efficiency to improve the bottom line. But big data-based security applications are just getting started, and ones that natively use big data technologies without, for example, reliance on older SQL databases or non-scalable compute technologies, are thin on the ground.

Big data security analytics are able to automate what a human cybersecurity team can do, relying on artificial intelligence techniques to turn human intuition and detective skills into algorithms that can run tirelessly and continuously, combing through billions of digital bread crumbs to find the attacker's trail. For example, unsupervised machine learning methods automatically learn the normal behavioral patterns across vast datasets, to detect and measure changes in behavior that are indicative of a threat, scores them, and assigns them contextual meaning.

In the case of the utility company, the security team doesn't have to set rules and thresholds because machine learning models never stop learning. They persistently observe, analyze and adjust hundreds of definitions of normal activities through continuous user, file, application and machine monitoring. Far from job elimination, this approach puts the best people on the jobs people do best: looking for broad themes, developing strategies and using intuition while the machines automate.

The utility company in question plans to expand deployment of open source big data components and build an organization-wide security data lake. In collecting log sources from across security, IT and supervisory control and data acquisition systems they gain broad threat visibility. Next up is creating automated and semi-automated incident response, linking the finding of security analytics with a vast control environment by triggering downstream actions from the software through Open Data Exchange Layer integration. The outcome of the entire program is a much more proactive, true risk-based threat detection and response system that connects machine-learning, automated threat detection with an effective response program.