Automated Threat Detection Helps Fulfill Protection Goals of Critical Security Controls

Modern attacks and techniques to avoid detection have grown increasingly sophisticated in recent years, making traditional security methods insufficient to fulfill goals defined within the Critical Security Controls (CSCs).

According to new research by the SANS Institute, organizations can better protect themselves from attacks by combining automated network threat detection tools with traditional perimeter security methods.

The SANS Institute’s whitepaper, The Expanding Role of Data Analytics in Threat Detection, sponsored by Vectra Networks, said organizations should consider a breach as inevitable. Modern attackers are able to bypass perimeter-based security defenses using techniques that allow them to get—and stay—in corporate networks until their mission in accomplished. In this increasingly complex threat environment, Critical Security Controls (CSCs) play a vital role in helping to mitigate modern attack profiles.

Developed through federal and community efforts coordinated by the SANS Institute, CSCs are a prioritized and highly focused set of security actions for defending and responding to modern cyber attacks.

“CSCs enable organizations to develop a best-in-class security strategy and architecture,” Sean O’Connor, assistant chief information officer at Worcester Polytechnic Institute, said in a statement. “It is good to see innovative solution providers like Vectra collaborate with SANS to enable security architects to integrate their technology.”

New technologies, such as machine learning, have evolved to help organizations improve their response to modern attacks. Although the financial industry has been using machine learning since the 1970s to detect fraudulent behavior, use of machine learning in the information security sector is a recent phenomenon.

The report defines machine learning as “a collection of algorithms and techniquesused to design systems capable of acquiring and integrating knowledge automatically.” Machine learning is the heart of the automated threat detection system. The other two layers of the system include real-time detection, which determines whether a pattern is normal, and data acquisition and feature extraction.

Barbara Filkins, senior SANS analyst, told Homeland Security Today automated network threat detection using data science, machine learning, and behavioral analysis can improve or complement traditional security methods in several ways.

First, if attackers infiltrate a network, automated threat detection can help organizations get them out. Filkins explained that as malware has gotten smarter and increasingly able to evade detection in a sandbox, or subvert end-point controls, a network based view of malware behavior provides a new and authoritative perspective to see malware behavior.

“Network threat detection can complement sandboxes and other malware detection technologies by identifying malware behaviors inside the network,” Filkins said.

Second, additional network-based threat detection can identify those phases of an attack that may not use malware at all. For example, behavioral analysis and machine learning models can reveal when attackers have compromised a user’s credentials and are misusing them to digdeeper into the network.

“These are a few examples, but the concept applies in many ways, and allows an organization to find a threat in real-time instead of after the fact in a post-mortem analysis," Filkins stated.

According to Filkins, the CSCs promote the use of automation to defend against modern threats and achieve improved outcomes, such as lower risk and lower dwell times. Automated threat detection offers the opportunity for organizations to improve their security posture through a proactive network defense.

For example, Vectra’s automated threat detection software uses a patent-pending combination of data science, machine learning and behavioral analysis to detect malicious behavior inside networks. Its technology picks up where perimeter security leaves off by providing deep, continuous analysis of both internal and Internet-bound network traffic to automatically detect all phases of a breach as attackers attempt to spy, spread, and steal within a network.

“Recent advancements in network monitoring allow security teams to use data science and machine learning to automatically identify the presence of a threat based on distinctive or unusual behavior,” Filkins said. “This in effect allows security teams to recognize a threat based on what the threat does instead of trying to have a signature for every possible threat.”

Filkins added, “This means that security teams can find threats even if they are brand new and unknown, and regardless of what type of device is attacked (server, laptop, iPhone, etc.). This allows security to disrupt those complex attacks and ensure that if an attacker gets in, he doesn’t stay in.”

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply