It’s not always easy to know when you’re under attack, or when your security has already been breached. If you’re capable of detecting a breach, you might find it in as few as 10 days, but survey after survey finds that breaches that are detected by someone outside the business typically take over 100 days to find.
For one thing, between ecommerce, company websites, email, mobile users and overseas divisions, your company is doing business 24/7; however, your IT security team probably works business hours. That’s one way 60 percent of attackers are able to compromise an organization in minutes, according to Verizon’s 2015 Data Breach Investigations Report. But only a third of businesses can detect a breach within a few days.
In Cisco’s 2016 Annual Security Report, less than half of the businesses interviewed were confident about detecting the scope of a network compromise and cleaning up after it. Hackers routinely use automation – from distributed denial of service attacks run over botnets to exploit kits that help them change malware – so it’s harder to detect.
Can machine learning help you detect attacks more quickly and deal with them faster?
There are some ambitious projects using machine learning. Deep Instinct is trying to use deep learning to map how malware behaves, so its appliances can detect attacks in real time, reliably enough to replace a firewall. More realistically, perhaps, Splunk is adding machine learning to its log analysis system to use behavioral analytics to detect attacks and breaches.
“Most organizations lack visibility; if you can’t see it, you can’t protect it. We can detect outliers,” explains Splunk’s Matthias Maier. “We summarize similar users who have similar behavior and then we show that, and if there’s an outlier who has always behaved similarly but is now behaving differently? That’s an anomaly you want to look at.”
Splunk can analyze users, computers, IP addresses, data files and applications for unusual behavior, and you don’t need to hire machine learning experts. “We a lot of this right out of the box,” says Maier. “Most organizations don’t have the capability to develop this on their own.” Early adopters include John Lewis and Armani’s retail stores.
Just detecting anomalies can still leave you with a lot of data to look at. A large organization could see thousands of anomalies a day, so Splunk uses further analysis to keep that manageable. Maier expects the tool to surface five or 10 threats a day, in enough detail to make it clear what’s happening (avoiding the problem where noisy or overly complex alerting systems are ignored when they find a real breach).
“We have the full picture on the ‘kill chain’ [of the attack]. We provide a security organization with the information, from the compromise point – when did the attacker come in, what was the initial attack vector, when did they expand in this environment, what other files or servers or user accounts did they connect to? – and then the exfiltration phase when they were sending data out … From all these anomalies and individual data points, we create a full picture and present it in a way that every security analyst can understand.”
Sign up for CIO Asia eNewsletters.