Intelligent CIO Europe Issue 4 - Page 62

FEATURE: THREAT ANALYSIS ////////////////////////////////////////////////////////////////////////// more sophisticated analysis and more exposure to real-world experience provided by the customer. Multiple techniques used together can refine assessments in multiple dimensions. One example of this would be the L2-7 stack, transactions and sessions over time for that stack and protocols involved over time. This depth of MORE OF THIS TRAFFIC IS USING ADVANCED ENCRYPTION BASED ON PERFECT FORWARD SECRECY (PFS) RATHER THAN PUBLIC KEY ENCRYPTION (PKE). Challenge your threat analytics vendor Data quality and analytics quality are fundamentally linked. Variations in the depth, breadth and completeness of the data will affect the accuracy of the analytics. Noisy data, especially log and machine data, requires manual scrubbing. Once equipped with high-fidelity data, a range of machine learning techniques and data science approaches will determine the accuracy and volume of the alerts generated. AI also facilitates automated triage, correlation, investigation and eventually, incident response. Ultimately, to minimise false positives. Tuning each technique helps as well. For example, behavioural anomaly detection compares observed behaviour to expected behaviour, usually through unsupervised learning. Anomaly detection can be performed against many different data variables (users, applications, protocols or traffic volume), as well as patterns of data (number of login attempts, number of different systems accessed within a specific timeframe, range of IP addresses and devices contacted). Two additional data science techniques can improve results: data dimensionality reduction and outlier detection. Dimensionality reduction identifies which variables convey meaningful differentiation mathematically and which don’t. In car terms, given the task of identifying cars vs motorcycles, an AI solution that has access to data on the number of wheels will have a much easier time than one with access to just the colour of the vehicle. By identifying and analysing the data with the most meaning, the analytics deliver increased accuracy in less time with fewer compute resources. Similarly, outlier detection says: the farther away from normal a meaningful event is, the more unusual and potentially risky it is. This technique helps security tools ‘score up’ events and increase confidence in the detection accuracy. One reason AI systems are ideal for outlier detection is that they can consider variations 62 INTELLIGENTCIO network traffic, breadth of network protocol and duration of time spreads the data set widely. Computers are best suited to identify meaningful spatial variations against ‘normal’ for these multivariate relationships. Of course, outliers may be caused by human error, data sampling, data manipulation and data degradation. Outlier detection may increase false positives unless it is coupled with contextual data, anomaly detection and dimensionality reduction. So no individual technique is a panacea and experience will differentiate AI veterans from novices. effective use of AI will help you avoid turnover and reduce risk. These seven questions should be fair game for any advanced analytics vendor. They will show you have done your research and encourage the vendor to treat you with respect. For instance, if a vendor says, “Trust me, it’s in the maths!” you probably want to choose a different vendor. Although AI is increasingly table stakes for analytics, it isn’t a simple checklist item. Demand answers, not alerts. n www.intelligentcio.com