Breaches on the Rise
The Equifax security breach was among the worst ever in terms of the number of people affected and the type of information breached. Information such as names, SSNs, birth dates and addresses are considered the Holy Grail of personal data that allows hackers to gain access to anyone’s personal, financial, and health records.
While frequent incidents of security breaches have brought enough anxiety in corporate America, it’s the complexity of managing cybersecurity and addressing unanswered questions that really have enterprises nervous.
You may also like: Reverse Engineering a Not-So-Secure IoT Device.
In order to be successful in preventing such breaches, cybersecurity analysts not only have to be highly knowledgeable about networking fundamentals but also extremely analytical at identifying patterns. Congruously, analysts have to be equally superior at incident response and handling as well as resolving and communicating incidents.
Relying on manual analysis in a more complex and breach innovated world is no longer an option for the successful detection of security incidents. This has led to several unanswered questions in a digitally transforming and expanding world of data footprint.
How will companies handle vast amounts of data spanning institutions, jurisdictions, and regulations, many of which extend beyond international boundaries? Is there an efficient framework to handle rapidly evolving information spanning these entities? Can there be a way to automate resolving entities across expansive and disconnected datasets?
Tougher Than 2017
Many of the largest and most damaging cyberattacks have been state-sponsored and carried out by teams with an entire government’s resources at their disposal. Attacks from private entities and individuals have also grown, especially, on social engines.
The rapid expansion of the volume and variety of security alerts and over-reliance on labor-intensive analysis has further complicated the cybersecurity landscape as organizations continue to follow the paradigm of building threat detection programs on top of existing tools. The resultant miscellany either hinders growth or leads to a talent shortfall for organizations that are barely keeping up with markets in the presence of manual processes.
Let’s consider the case of an analyst going through the definition of regulation and its verbal interpretation to build a new access control. Relying on the limitations of humans, she has to account for all other preexisting rule-sets required to be fulfilled as part of implementing the control in question.
For instance, when writing a universal set of 800 controls, with each having 30 different security and regulatory frameworks to follow, a security analyst could be attempting to oversee as many as 20,000 relationships on any given day.
As a result, whenever net-new rules are launched, security consulting firms are invariably called upon with a job to map the rules into the client’s respective Global Risk and Compliance (GRC) database to make sure the new relationships have been appropriately established while prevailing ones are not affected.
This is an enormously manual task requiring more work than coding, as it takes significant expertise to map relationships in the right way. Overwhelmed by data and multiplicity of relationships, this affair quickly finds its way to a major expense item on a corporate balance sheet.
More time is consumed in processing large amounts of PDF documents with regulation definitions to ensure that current security controls are not overlooked when mapping news ones. This leads us to envision a technology framework that can automatically extract and store entities and relationships, without forgetting any controls, into a Graph database and recommends actionable remediation that’s beyond just compliance checks and reporting.
Moreover, the technology should be self-servicing and scalable for security analysts to adopt without having to invest time and resources in learning the new approach. Let’s evaluate a framework that makes use of a such technology in combination with machine learning.
Single Security Learning Framework
According to an experiment by Vinay Kumar and Barathi Ganesh, Deep Neural Network (DNN) outperformed the supervised machine learning (XGBoost) on incident detection and fraud detection by 1.00 to 0.997 and 0.972 to 0.916 respectively.
Based on this outcome and known benefits of Single View architecture, such as self-servicing and massive document-based item extraction, a Cyber Entity Rendering System can help solve the problem of addressing complexity, interpretation, scale, and cost. In fact, all new enterprise security detection solutions leverage Deep Neural Learning and have been for some time before it was categorized as such; it is coined as “anomaly detection” in the security industry.
The figure below shows an example where a graph stores every Infosec/network parameter and structure, along with its relationship and supplies extracted meta-info parameters into a Neural Network for detecting an outcome of 0 (benign) or 1 (malicious) with significant probability scores.
To further validate this, let’s consider another experiment performed by Acalvio Technologies to detect obfuscated Powershell scripts. Findings from this project revealed that DNN outperformed other models like Random Forest and Logistic Regression in terms of precision and recall.
While DNN by itself is transformational, it’s the idea of using Graph database to feed into a DNN that produces the best possible security and operational outcome for an organization. This form of Single Security Learning Framework helps save a significant amount of time and value spent otherwise on data assimilation, meta-info extraction, and the freight of figuring out the best machine learning approach for threat detection.
2020 and Beyond
It is imperative to incorporate graph technologies and neural networks into the cybersecurity field in order to adequately combat a rapid change in relevant threats to organizations. In terms of controlling the data footprint, companies can have the ability to scale their business without having to stress about the impact of cyber regulatory influx on their day-to-day operations.
Enterprises carrying the DNA of innovation with modern data architecture and machine learning are best positioned to win over business demands in a security-tranquil environment unencumbered from regulations, competition and growth.
I thank Samuel Cure, CISSP, Chief Information Security Officer at AdvisoryCloud for his valuable contribution to this article.