AI & Machine Learning 101-Part 4: A New Vision for Security Analytics

New security threats require a new framework for analyzing and responding to intrusions.


Security Analytics

The previous blogs in this series have taken a close look at machine learning, understanding its limitations and strengths. There is enormous potential for machine learning to facilitate AI, but it’s worth noting that the broader game of threat detection is not just about deep learning or machine learning as we know it today. New analytical methods combined with new data types can give us entirely new frameworks in which to analyze and act upon security threats.

Interset's Machine Learning Capabilities

We’ve seen what analytics can do for other industries, and there is potential for analytics to have a profound impact on cybersecurity, too. We see this taking shape in a new field that we refer to as security analytics, which essentially takes the battle-tested algorithms and methodologies that we have discussed (and more) and applies them help solve the really difficult problems in security.

The most common analytics we see in security today involves predictive models, which allow us to identify where risks might be within large amounts of data (this is where anomaly detection fits in). In a nutshell, predictive modeling combines historical data with real-time behavior to understand or predict future behavior. With this, we can answer the question, “What happens next?”

But our vision for security analytics doesn’t stop here. Predictive analytics is just one piece of a much larger puzzle that can give us much more useful insight for security teams. The ideal analytics paradigm combines intelligent sensor and ubiquitous data sources—desktops and servers, mobile, cloud, social networks, open data, etc.—with multiple advanced analytical approaches to behavioral and threat analysis, including forensic analysis, risk modeling, anomaly detection, behavioral and response optimization, and more.

This means that we can do far more than predict or identify a threat. It allows us to go even further to offer not just advanced detection but insight into how to respond most effectively. Security analytics gives us the power to answer other key questions, like “How many threats are there?” and “What is the best possible reaction?”

Security Analytics Flow Chart
Combining the data at the top left with the science on the bottom right, we can do far more than just detect the threat. We can provide next steps.

 

We haven’t seen other classes of analytics like optimization methods applied to cybersecurity yet, but they have immense potential. These techniques look at all the possible reactions to a security risk and determining the best response. Yes, there are ways to do this with math.

For example, optimization methods are used when you place a call to your cell phone service provider with an issue. They are not randomly making a recommendation on whether or not to upgrade your service plan at a discount; they rely on a set of mathematics in the background that looks at your call logs, the number of dropped calls, how your history compares with that of other users, etc. It even calculates the probability that you might switch to another service provider. Then, out of all the possible next steps, it computes the best next step to maximize customer retention.

The same math can be applied to a security team to identify a risk, provide a number of ways in which you can react, and determine mathematically the best possible response to maximize containment of this particular risk.

The rapid rise and evolution of security threats make this type of response efficiency critical. We have more data today than ever before. Thankfully, we also have more compute power, better algorithms, and broader investment in research and technologies to help us make sense of this data through mathematics. By all accounts, we believe security analytics is just getting started.

Stephan Jou is Chief Technology Officer at Interset.