Find out more
How to Augment Security Operations Centers with AI
Vectra® enables enterprises to immediately detect and respond to cyber-attacks across cloud, data center, IT and IoT networks. As the leader in network detection and response (NDR), Vectra uses AI to empowers the enterprise SOC to automate threat discovery, prioritization, hunting and response. Vectra is Security that thinks™.
Share this article
Gartner research report “Applying Network-Centric Approaches for Threat Detection and Response” published March 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belak
“The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
Also note that the bias of CSPs is different from that of their customers. In rolling out new services, CSPs who develop those services are judged by the adoption of the service.
In making decisions on the default security posture of a new service, CSPs will generally remove barriers to make customer deployments easier, rather than add security controls which might also slow down its adoption by customers.
Platform as a service (PaaS) provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.
– Wikipedia
Does your security product try to solve all problems with a single, monolithic algorithm or approach? This usually results in too many detections deemed worthy of further scrutiny and is unlikely to provide context or information as to why that activity was flagged in the first place.
Example: If a security product only performs anomaly detection with unsupervised machine learning, it will flag anything outside the realm of normal activity as being malicious. Maybe a connection was made on a port that hasn’t been observed frequently or maybe a user logged in at an irregular hour.
Are either of these detections necessarily malicious? No.
Will your time be wasted if your security product believes that anything anomalous is malicious? Most definitely.
John Smith
Now these SaaS applications can be accessed from anywhere and elements of endpoint detection and response (EDR) and maybe a cloud access security broker (CASB) are expected to recreate the safety of old.
Lorem ipsum dolor sit amet
Software as a service (SaaS) is a software licensing and delivery modes in which softwarw is licensed on a subscription basis and is centrally located.
– Wikipeda
For this reason, the network will continue to be a critical part of any detection and response capability. It provides the richest and most useful point for organization-wide visibility to any kind of device that communicates with any other device, from cloud workloads to IoT devices.
SaaS has been broadly adopted as organizations realize that it allows them to bring up new applications literally overnight and never have to worry about software upgrades, backups and other mundane support tasks.
That said, most SaaS applications were originally deployed in a manner that only allowed access to employees who were physically working in the office or remote employees connected via VPN.
So logically, these SaaS applications could only be accessed via the organization’s network, thus providing the illusion that they were surrounded by that network and protected by the policies that governed the perimeter of that network.
Slowly but surely, the constraints inherent in that model eroded. The adoption of mobile-to-cloud and zero trust, already a trend entering 2020, has now kicked into overdrive by remote working in response to the pandemic.
The network offers the single biggest gain in visibility in the IT environment.
Caption 03:
Lorem tore v
eri tatis et quasi archi te cto be.
Enhanced account-based investigations in Cognito Recall™
Jojo Maalouf
IT Security Manager
Hydro Ottawa
Monday 7th October
by John Smith
Cybersecurity vendors today purport to help security professionals detect malicious activity inside their networks. But upon closer inspection, these vendors might be drawing your attention to areas that are unnecessary and wasteful.
What should a security professional look for in a security product with machine learning and AI? Here are a few very useful questions to ask:
What questions should you ask a vendor to find out if they provide meaningful AI?
Meaningful AI for Security
EDUCation Guide
Clarifying Question 1
The benefit of meaningful AI from Vectra
Time is the most important factor in detecting network breaches. To protect key assets from being stolen or damaged, cyberattackers must be detected in real time.
Done right, AI-powered security solutions can operate 24/7 and automate much of the work of a Tier-1 analyst, allowing for fewer and lower-cost SOC personnel while significantly cutting the time to detect and remediate threats.
Automated cyberattack detection is central to Cognito Detect. Our approach is based on applying the most authoritative source of data – traffic from cloud, data center, IoT, and enterprise networks.
Using behavioral detection algorithms to analyze metadata from captured packets, Cognito Detect reveals hidden and unknown attackers in real time, whether traffic is encrypted or not.
By providing real-time attack visibility and non-stop automated threat hunting that’s powered by always-learning behavioral models, Cognito Detect enables SOCs to cut cybercriminal dwell times and speed-up response times.
Want to see the value of NDR ?
Experience the value from anywhere.
No set-up or hardware required.
Even do red team testing!
Learn more
vectra.ai
Does a security product use machine learning and AI to detect, cluster, classify and make predictions that would not have been possible by humans alone?
Does a security product use machine learning and AI to detect, cluster, classify and make predictions that would not have been possible by humans alone?
Do the machine learning and AI in a security product make predictions and classifications that actually reduce human intervention and analysis?
Proper evaluation and validation is required by potential customers. But in general, these criteria will only be achieved if the machine learning and AI that goes into a product are built for the problems at hand.
Identify the fundamental traits that threats have in common
Identify what is normal and abnormal in the local network
Connect events to reveal the larger attack narratives
What is needed is a rich AI toolkit that combines supervised and unsupervised machine learning models with deep learning technology. This provides broader coverage, detection speed, and security that goes beyond human capacity
1
1
2
Do the machine learning and AI in a security product make predictions and classifications that actually reduce human intervention and analysis?
Noise
Alert
fatigue
Intelligent
prioritization
Triage: Detections automatically correlated to pinpoint physical hosts at the center of an attack
Cognito Detect integrates with enforcement and incident response platforms
• SIEM
• Incident response
• Firewall
• Endpoint
• NAC
The goal is to go from noise to focusing on the alerts that reveal the real threats.
If a security product fails to work properly, sorting through volumes of irrelevant and non-malicious events will draw a security professional's attention away from critical in-progress threats.
2
Clarifying Question 2
Here’s another question: Is a security product built by a team with the expertise and understanding of the algorithms they use and knowledge about the types of problems for which those algorithms are best suited?
Example: If the detection type relies on inputs that are inherently temporal or sequential – such as when a detection of malicious activity might rely on something that occurred many steps in the past – are they using Bayesian methods that don’t depend on the temporal history?
If a security product uses deep learning methods like recurrent neural networks (RNNs) and long short-term memory (LSTM), does the vendor have the expertise to know how and when to run these models properly?
In the former case, a security product will fail to recognize and detect certain types of activity.
And in the latter, the power of techniques like deep learning algorithms can be lost on a team without the experience to understand them.
Learn more
