It’s getting harder and harder for IT & security teams to distinguish between actual threats and harmless anomalies. Artificial Intelligence (AI) has the potential to help your team make these important distinctions and keep the network safe.

This is a tall order, because networks are becoming more complex and infinitely more dynamic. Users do things with their computers that are at best unwise and at worst dangerous. Most of the time, they do these things without guile. They click on links that seem benign or enable macros on the document because the title of it seems important. They store sensitive information in unsecure places. Despite all the data breach headlines, an assumption seems to persist that if you are able to do something on your computer, it must be OK.

That assumption spawns the unwise behaviors that generate thousands of anomalies, which set off alerts on a daily basis. Security teams have to wade through all these alerts without the ability to tell the difference between what’s malicious and what’s not.

This is an unworkable situation. Network security requires the ability to distinguish between malicious and non-malicious anomalies. AI and machine learning (ML) can be used to help identify which anomalies to be concerned about and which are benign.

Use AI to focus on what matters

AI and ML are not a miracle drug, though. IT & security teams need a smart framework to focus on which anomalies matter most to your organization. Some providers recommend that your team focus on seven to 10 criteria for anomaly analysis and leave it at that. This is a good start, but it’s not enough.

Teams need to look at anomalies collectively to detect trends and corroborated behaviors. This goes a step further than focusing on those aforementioned seven to 10 criteria. In fact, to implement a truly focused framework and minimize false-positive detections, it takes an adversary mindset.

How is the adversary thinking? What are they focused on, and how will they likely achieve it? Many solutions and security professionals are focused on figuring out which criteria are the most important in terms of anomaly detection. An adversary approach requires more holistic thinking: in what sequence and across what hosts do these anomalies fit together in such a way to resemble what an adversary might actually be doing inside of a network?

Adversaries have an ever-expanding repertoire of ways to get inside your network, but once inside, their campaigns must contain three elemental behaviors:

Reconnaissance: Poking around your network to understand its structure, map resources, and locate valuable data and/or systems

Collection: Collecting and moving valuable data in preparation for exfiltration

Exfiltration: Transferring data to external destinations

Teams that compare the many anomalies to see if they match up with these behaviors will get a more accurate sense of the network’s threat landscape.

The human-AI connection

It’s become a generally accepted premise that IT & security teams can use AI and ML to determine which security alerts are the most important. However, the hype has often not met with reality, which ends up making AI and ML look bad. And some assume that implementing AI and ML eliminates the need for a human in the loop, which is inaccurate. AI accelerates the skill of humans who use AI tools, but it cannot take the place of seasoned human professionals – nor was it intended to.

Automation only goes so far in AI and ML in terms of network security. But with an adversary-focused framework, security pros can ensure that what they’re actually looking for when it comes to analyzing anomalies is truly malicious.

Collaborative security

As long as there are cat videos and email, there will be employees who click unwisely. Which means the network will always be in need of strong security. Anomalies will multiply, and IT & security teams will deal with the tsunami of alerts that result.

However, AI and ML are now available to help, if teams will implement them strategically. These technologies will help organizations get inside the heads of their foes and focus their expertise on the few truly malicious behaviors. It’s not an either/or proposition: humans and technology can work together to make the network more secure.

 

Do you know which specific companies are currently in-market to buy your product? Wouldn’t it be easier to sell to them if you already knew who they were, what they thought of you, and what they thought of your competitors? Good news – It is now possible to know this, with up to 91% accuracy. Check out Aberdeen’s comprehensive report Demystifying B2B Purchase Intent Data to learn more.
 

 

Jason Kichen is the director of security research and operations at eSentire. Prior to its acquisition by eSentire, Mr. Kichen served in this role at Versive. Previously, he spent almost 15 years working in the U.S. intelligence community as an expert in technical and offensive cyber operations. He has two Director of National Intelligence Meritorious Unit Citations and a National Intelligence Professional Award from the National Counter Proliferation Center, amongst other accolades from the defense and intelligence communities.