You can also use the machine learning features in Splunk for more intelligent operations and monitoring, like having your web site alert you that it’s going to need more bandwidth because demand is increasing before the load causes problems, extending the usual analysis options Splunk is known for. But on the security side, Maier says, “We’re concentrating on providing full solutions: detecting insider fraud, or detecting external attacks with valid credentials.”
Analytics, but also recommendations
Microsoft’s Advanced Threat Analytics tool (based on its Aorato acquisition) combines a similar machine learning approach – learning about entities like user accounts and devices from Active Directory, network traffic and your security information and event management (SIEM) systems, then profiling their normal behavior to perform behavioral analysis – but also detecting suspicious activities that it presents in an Attack Timeline, complete with recommendations for dealing with the issue.
“We analyze all the Active Directory data, all the natural traffic going in and out of your domain controllers,” says Microsoft’s Anders Vinberg. “You can fake a lot of things but not natural traffic. We build a graph of which devices you interact with, which resources you access. We start learning normal behavior and once we have learned that, we begin alerting you.” The system also creates traps to mislead attackers.
ATA concentrates on three types of suspicious activities. The first are mistakes and misconfigurations that amount to security risks in your network. “These are security issues that make the life of an attacker much easier, like using plaintext passwords over the wire,” says Vinberg. It can also detect common attacks in real time, including the Pass-the-Ticket and Pass-the-Hash attacks commonly used to move from one system in your network to another.
The third area is where the machine learning comes in. “We detect abnormal behavior. There is always new malware, there are always new attacks … but every one of them would show up as abnormal behavior, because the account would act differently in the network from the regular user behavior,” he explains.
You don’t have to run machine learning on your own network to get protection. In fact, cloud services like Azure AD are able to help you protect identities and user logons in ways you just can’t do within your own organization. And protecting individual users is key to keeping attackers of your network; nearly every data breach turns out to start with legitimate credentials that have been stolen or phished. The insider threat isn’t necessarily coming from inside your company any more.
“We’re using huge machine learning systems and world class techniques to protect all the identities at Microsoft,” points out Alex Weinart, from Microsoft’s Identity, Security and Protection group. “That includes Azure Active Directory, the Microsoft account system and Skype. Because we have one of the largest mail systems in the world, we are heavily targeted. Every attack that happens will pass our door; they’ll try it against Google but they’ll try it against us as well.”
Sign up for CIO Asia eNewsletters.