In defending their networks, security professionals regularly deal with the fog of war: the scarcity of data about events in their systems and networks leaves analysts and operators in the dark as to whether business systems have been breached.
As security systems collect an increasing amount of data, however, companies face the opposite dilemma: the volume of information leaves security professionals hard-pressed to identify actual attacks. Rather than a lack of signal, analysts looking for attacks are inundated with noise.
Yet, a combination of data analytics and computer science, known as cognitive computing, could provide a solution. A step up from machine learning and a step down from artificial intelligence, cognitive-computing systems are good at recognizing the patterns that humans miss. In fact, cognitive computing seems perfectly suited to delving into the large data sets continuously produced by network hardware and information systems to find signs of security incidents, says Grady Summers, senior vice president of cloud analytics for FireEye, a security technology and services company.
"Cognitive computing will come of age in security," says Summers. "Marketers talk about big data and using cognitive computing on five billion points of data. We have to laugh, because we do that volume of data in less than an hour."
Cognitive computing vaulted to fame when IBM's Watson supercomputer defeated two Jeopardy champions in 2011 by combining natural language processing and machine learning to understand the answers and come up with the appropriate questions—Jeopardy's signature game play. With the increasing need for companies to process vast amounts of data, other companies have released their own systems. HP, for example, has created its Haven analytics platform for big data that uses cognitive computing technology.
Cognitive computing makes sense for security and vice versa
Yet, companies still need to be convinced that cognitive computing makes business sense. Security may be one of the slam-dunk applications, says Nir Polak, CEO of data analytics firm Exabeam.
As companies deploy security technology designed to continuously monitor their network, systems, and data, the chance that an attack won't leave evidence is increasingly slim. But companies need to close the gap between the time an attacker infiltrates their network and when they respond to the compromise. In its latest Data Breach Investigations Report, Verizon found that nearly 80 percent of attackers compromised their targets within days, while only about a third of companies detected the attacks during the same time frame.
"Because of the sophistication of the attacks and the ability of the attacker to avoid defenses, we need more data to detect the attacks," says Polak. "But the time to respond needs to be shorter, and with so many indicators, you don't have enough humans to take action."
When a criminal group compromised retail giant Target, for example, the company's systems reportedly detected the attack, but analysts didn't spot the alerts. With the push for the collection of more data and the continuous monitoring of more systems, the volume of data will only increase. In addition, the Internet of Things promises an explosion of new devices, and that means even more data.
"If you think about it, the Internet of things is a large sensor system," says Eric Little, chief scientist for Modus Operandi, a data-analytics company with applications in cybersecurity. "If you look where we live in the defense space, you are dealing with fusing information from all these sensors and sources."
Finding attacks requires more than rules
Today, most systems use human-created rules to find and flag anomalies, such as when people in two different geographic locations attempt to log in to a system. More complex security intelligence systems will attempt to combine a wide variety of events—such as a privileged user logging in from another country to access valuable data—to gauge risk.
According to Summer, the problem is that current systems don't reduce the volume of data from the hundreds of thousands of daily events to high-value alerts—on the contrary, they feed more data into their security systems and require faster responses to deal with security incidents. The average large enterprise generates more than 12,000 security events per second, nearly a billion events every day, according to FireEye data. Human security analysts, who typically handle 20 to 25 alerts per day, can't process the data at that rate.
"Where we are seeing customers struggle is more on the triage side, and that's where we will see cognitive computing really take off," Summers says. "The problem is how can we automate the work of the analyst post-hit?"
Automation can help, but delivering better data to human analysts is not enough. Instead, systems that can adapt to changes in attack patterns will be necessary. In addition, security systems have to deal with a greater variety of data, much of it unstructured. The ability of a system to understand context can often mean the difference between flagging an incident and losing an attack in the noise.
"You are in an area where the data variety is very, very high," says Modus Operandi's Little. "The data can be very incomplete. There can be problems with trust and provenance."
The company has created a system that, when applied to cybersecurity, identifies the normal "pattern of life" for an employee or company to understand when a potentially compromised system is acting suspiciously.
Replacing the lower-level analysts
Such systems could replace the lowest-level analysts—the least experienced workers who initially investigate an alert to determine if it needs to be escalated to more technical analysts. While automation has resulted in significant savings and cost benefits, data-analytics systems that only act on rules written by humans will likely be too slow in the future, and delivering those results to be triaged by a human analyst will only slow down the process.
Summers, for example, argues that in three years, expert systems incorporating machine learning and analytics will do more of the work of lower-level analysts. Yet others don't think the technology is ready, despite its promise.
"I would like to automate every single one of my analysts and reverse engineers, but I can't—the technology does not exist," says Zachary Hanif, director of applied data science at Novetta, a threat intelligence firm.
Instead, companies should focus on the basics, such as making sure they're collecting enough data, properly configuring their systems, and reducing the false positives and noise. "There is so much that can be done with what we have that we don't even need machine learning techniques," he said.
In the end, while cognitive computing holds a great deal of promise and is well suited to sift through the massive flow of data needed to detect security incidents, business leaders will need to be convinced that the technology can work effectively.
Image source: Flickr
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
