Lots of security vendors talk about integrating innovative techniques using Artificial Intelligence. In cybersecurity, this often boils down to supervised or unsupervised anomaly detection of measures attributes. However, in many cases there is a big gap between the identification of anomalies and transforming them into actionable data.

December 27, 2019

No Comments

There are lots of buzzwords floating around cybersecurity: machine learning, artificial intelligence, supervised and unsupervised learning … In many cases these advanced technologies are based on anomaly detection. This makes a lot of sense since it’s hard - even impossible - to anticipate an attacker’s behavior. Also, in many cases there is not enough classified data to distinguish between benign and malicious events.

How Is Anomaly Detection Used in Cybersecurity?

Various behavioral anomaly detection techniques are used in almost every aspect of cybersecurity. For example, anomaly detection is extensively used in UEBA (User and Entity Behavioral Analytics), NTA (Network Traffic Anomaly), Endpoint operational anomalies etc. An anomaly can mean things like : “Too many failed logins” in UEBA, “A lot of traffic sent from A to B” (where typically it sends much less) in NTA, a process that executes another process that looks like a statistical anomaly in endpoint protection etc.

Anomalies can be strong indicators of malicious activity but, in many cases, anomalies can be triggered by unexpected but legitimate actions. While anomalies are a powerfully tool for threat-hunting they might be a burden on SOC analysts who are focused on addressing threats as part of their incident response.

Since there is a significant cost associated with false positive alerts, due to the time needed to investigate them, we should be very careful when flagging anomalies as security alerts in SOC. While some security devices do a great job of filtering out false positives, many simply dump all or many anomalies in the laps of security analysts for further investigation.

How Can SIEM Platforms Help Separate Valuable Anomalies From Noise?

When combining multiple sources of anomalies and other security signals such as alerts from IDS, EDR, mail security or any other product, the challenge is to automatically find the connections and merge those events into actionable information. Such information must separate the high-risk incidents from the noise. SIEMs that attempt to do so need to also show the evidence and provide analysts with the root-cause and the potential flow of an attack. This saves valuable time in the deeper investigation that will require the forensics data typically stored in the SIEM.

For example, consider an indication of network anomaly where host A sent a lot of data to host B, when typically they do not communicate. This may be an indication of data exfiltration, but it can also be the result of various legitimate scenarios (e.g. unexpected but legitimate file sharing). If following this event there is an indication that node B scanned the network, or there is indication that files were encrypted at an unusual rate, this should raise the severity of the security incident. If other indications are available for the entities involved, such as IDS alerts, of node A or B, this would strengthen the case that all these singular events together tell a truly high-risk attack “story.”

This automatic fusion of anomalies and other events must be a key feature in the next generation of SIEMs that will direct SOC teams to deal with high severity alerts, rather than investigate loads of anomalies.

Haim Zlatokrilov Ph.D. is VP Products at empow. Prior to empow, Haim served as Director of Cyber Defense Technology at the Israeli Cyber Directorate. He holds a PhD in Computer Science from Tel Aviv University.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Anomaly Detection in SOC – Friend or Foe?

How Is Anomaly Detection Used in Cybersecurity?

How Can SIEM Platforms Help Separate Valuable Anomalies From Noise?

Related Articles

Report Abusive Comment