Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FEATUREREAL-TIME DETECTION<br />
FILLING THE VOID<br />
DAVE PALMER, DIRECTOR OF<br />
TECHNOLOGY AT DARKTRACE<br />
EXPLAINS THE ADVANTAGES OF<br />
MACHINE LEARNING AND<br />
PROBABILISTIC MATHEMATICS<br />
FOR REAL-TIME THREAT<br />
DETECTION<br />
Traditionally, cyber security has rested<br />
on two pillars. At one end of the<br />
spectrum are the tools preventing<br />
known attacks at network borders or on<br />
devices, and at the other, the incident<br />
response toolkits for handling post-crisis<br />
events, including the clean-up. Until now<br />
there was an obvious void, namely how best<br />
to deal with threat actors already active and<br />
undetected inside the network, but critically,<br />
before they can inflict significant damage,<br />
including theft of data.<br />
Today's sharp rise in both the volume and<br />
sophistication of attacks has exposed the<br />
shortcomings of only being able to identify<br />
previously known attack software or attack<br />
techniques. Our businesses are not becoming<br />
less complex, nor are digital attacks going to<br />
become less attractive to criminals. We need<br />
to respond with new approaches.<br />
There has been much buzz about machine<br />
learning and AI and the transformative<br />
potential for cyber defence. The reality<br />
however is that enabling computers to<br />
perform thoughtful tasks is an incredibly<br />
difficult objective.<br />
To be able to detect and remediate<br />
emerging threats, the self-learning<br />
algorithms that power machine learning<br />
should work on all types of networks,<br />
including cloud, internet-connected devices<br />
and critical infrastructure. Crucially, to detect<br />
the most deadly and subtle threats, the<br />
machine has to recalculate probabilities<br />
and recalibrate its understanding of what it<br />
considers as normal, in real time. It's one<br />
thing to achieve that in a controlled<br />
environment, but the true test is the ability<br />
of the technology to continually learn and<br />
adapt in a live and increasingly messy<br />
enterprise network.<br />
Learning a detailed understanding of 'self'<br />
and being able to recognise the 'alien' is<br />
how our biological immune systems<br />
operate, in turn handling all of the daily<br />
incidents of problems slipping past our<br />
protective skin. Inspired by this, the<br />
Enterprise Immune System is a<br />
fundamentally different approach to cyber<br />
security and it does not attempt to predefine<br />
tomorrow's attacks, nor does it try to<br />
predefine how roles or systems should<br />
operate. Instead, the AI algorithms use a<br />
wide variety of techniques to understand the<br />
detailed and complex pattern of life of every<br />
user and device in the network. From here<br />
we can evolve a baseline of what is normal<br />
for each element by considering all of their<br />
complex relationships.<br />
A further layer of probabilistic mathematics<br />
is added to enable the machine to decide<br />
which types of machine learning to rely on in<br />
any given moment, and for each particular<br />
context. Recursive Bayesian Estimation is a<br />
novel implementation of Bayesian<br />
mathematics which constantly revisits its<br />
assumptions in the face of evolving evidence.<br />
Whenever it is presented with new fact<br />
points, the technology can change its<br />
mind about previous decisions, much like<br />
a human security professional. This ability<br />
to look at long-running patterns enables<br />
the machine to detect and take action<br />
against subtle, early signs of in-progress<br />
attack before any damage can be done.<br />
For example, in the face of a<br />
ransomware infection, this immune system<br />
approach would recognise parts of the<br />
behaviour of a laptop's file accesses as<br />
abnormal and immediately isolate just<br />
that specific threat to corporate data,<br />
whilst leaving normal business operations<br />
unaffected, allowing the user to continue<br />
to work within their normal pattern of life,<br />
using email, the internet etc. This buys the<br />
security team time to respond on their<br />
own terms, without being driven by<br />
criminals.<br />
Whereas previously threat actors could<br />
navigate the network mostly undisturbed,<br />
machine learning has enabled real-time<br />
detection and remediation of in-progress<br />
attacks. Diverse attacks against biometric<br />
scanners, videoconferencing systems,<br />
production data centres and major<br />
manufacturing units have been revealed<br />
by companies using this immune system<br />
approach.<br />
Incidents are inevitable in the current era,<br />
but crises - they can be prevented. NC<br />
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards<br />
JULY/AUGUST 2017 NETWORKcomputing 23