Enhanced analytical capabilities will help organizations better understand how attacks will unfold, and how to stop them in their earliest stages.
Prediction is as old as humankind, as we’ve search for clues to the future. Big data, computer models, and sophisticated algorithms have brought us much closer to accurately predicting things such as actuarial tables, inventory levels, and financial behavior. These tools help with pricing, manufacturing, and application approvals. Advanced analytics can also help security analysts understand the probable path of an attack and enable faster actions to contain or even stop it before it becomes a serious threat.
Security officers already bear some responsibility to predict threats, which affects budget, purchase, and staffing decisions. They use available information on today’s threats to prepare for tomorrow’s, on a broad scale. But how do you predict and respond to a single serious attack amid all of the day-to-day noise in a way that is actionable and sustainable?
Effective prediction requires a large amount of data from a range of activities, including normal behavior, historical events, and third-party intelligence. The bad news is that the sheer volume of security data we are collecting is already overloading the ability of human analysts to interpret. The good news is that this is exactly what predictive analytics needs to crunch through and present in an actionable format.
To use a simple example, you have data from a historical attack that used several IP addresses and domains. Those addresses are already flagged as malicious, but you investigate and find that there are another 200 domains with the same owners. Adding those domains to the watch list gives you an early warning that, if any of them is being accessed from your network, you are probably seeing the beginnings of a new attack.
This example is admittedly simple, and there are significant barriers to overcome before predictive security analytics becomes commonplace. The ability to distinguish between suspicious and malicious, to determine if someone has a weapon and is not merely loitering outside, requires more context about the data. Where did this information come from? How old is it? Why was it marked malicious? A threat intelligence exchange model can provide this much-needed context, sharing threat information in real-time among partners, other companies in the industry, security vendors, and government agencies.
Incomplete Alerts
Even with context, the alerts from predictive analytics are still going to be incomplete. They are not going to deliver the same certainty as matching a malware signature or known bad IP address. What they will do is provide enough probable cause for protective actions to start earlier, before you have all the details of the attack.
Is the market ready for these tools? Not quite. Most customers I meet with are so busy with collecting data for compliance and regulatory use cases that predictive analytics are an aspirational goal. But these organizations are slowly building the foundation needed for prediction by increasing integration and automation of their security forces. These foundational abilities include real-time hunting, prioritization, and scoping of security incidents seen in their environments. Blocking decisions are being made automatically, based on policies and increasingly detailed profiles of normal and abnormal behavior. And we continue to work with our industry partners to respond to rapidly changing and evolving attack patterns with tools that are smart, integrated, and adaptive.
Enhanced analytical capabilities will help those on the front lines better understand how attacks will unfold, and stop these strikes in their earliest stages.