Palm reading, tarot cards, crystal balls, tea leaves. For thousands of years, humans have tried to predict the future with various methods and little success. Today, the desire to predict the future remains strong, but increasingly difficult to satisfy. As the pace of change accelerates exponentially, the notion of predicting the future has become even more tenuous the further out in time we go.
It's a scenario we've lived with since the first PCs were introduced: the security industry builds a response to a specific cybersecurity threat, while attackers find new ways to avoid detection. Adversaries are proactively working to understand the security solutions deployed, and shifting to less visible, less content-detectable patterns of behavior to keep their threats well concealed. With more cipher traffic, more scrambling, and more randomisation by malicious actors to make command-and-control behaviors indistinguishable from real traffic, it is now increasingly challenging for security solutions and professionals to detect such threats.
Moreover, the overall lack of visibility into today's "noisy" networks also means pervasive threats have plenty of hiding places. However, significant technological advancements now allow us to use knowledge of the past and the present to drive a desired future outcome - an extremely important capability in our quest for better security. This is especially so given today's threat landscape and the vicious cycle defenders face.
Predictive analytics is one such detection capability that is fast emerging as a means of effectively cutting through the noise. Such analytics don't necessarily mean seeing an attack before it happens, but rather helping security professionals locate unknown malware wherever it may be hiding. As predictive technologies are still in their early days, gaining a baseline understanding of the foundations upon which they are developed is a good first step to take when exploring this area.
The following questions can serve as a guide to better understanding predictive technologies:
1. How is the knowledge derived? An approach that is grounded in knowing what "normal" business activity looks like can spot unusual behavior on a network (the symptoms of an infection) through behavioral analysis and anomaly detection.
Predictive analytics enable organisations to assess the behavior of entities (host servers and users) in their network. Based on many smaller models and a concise representation of past behavior, a model is created and used to predict how entities should behave in the future. Ideally, data is correlated in the cloud to enhance the speed, agility, and depth of threat detection. If there is a significant or sustained discrepancy in expected behavior, it will then be flagged for investigation.
As opposed to trying to anticipate how malware will behave in the future, modeling and predicting legitimate activity provides more effective protection against new threats in the long run.
Sign up for CIO Asia eNewsletters.