The Rise of Predictive Threat Detection
By Dr. Christine Izuakor - July 30, 2019
Once upon a time, threat detection was based on delayed and reactive notifications associated with rudimentary alerting processes: A system failed, a database of your customer information was found for sale on the dark web, an employee admits to wrongdoing, and more. Addressing these threats was a completely reactive process. Today, we have systems generating tons of information on systems and users that can now be used in combination with artificial intelligence to predict what threats are potentially coming. These technological advancements within the cyber security space, are driving a critical shift from antiquated and reactive threat detection to modern predictive threat detection.
How has threat detection evolved?
Initially, threats were detected based on the realization and aftermath of a problem. Once something failed, an alarm went off, and finally, the monitoring technology knew something was wrong. This approach alerted staff far too late to adequately mitigate the damage that could stem from a cyber attack or potential data breach. The industry eventually began to mature in this space by embracing automation and creating signature-based methods for detecting attacks. Essentially, instead of waiting for something really bad to impact the organization, companies-built lists of what could be considered an adverse event and then assigned an identifying signature. Companies could then “proactively” check for those items in the environment before real damage could be done. This was the start in the shift from reactive threat detection to somewhat of a proactive threat detection approach.
It’s important to note that there is a difference between proactive and predictive threat detection. Proactive threat detection was a step in the right direction, but still was not enough to address continually maturing cyber attackers. The signature-based methods presented several challenges - the most significant being that the effectiveness of the technology was completely dependent on how up to date the signatures were. In order to work, consistent, near-immediate, and frequent additions of attack signatures were required. This made it difficult to account for zero-day attacks in which a signature has not yet been assigned and deployed across the tools.
Attackers would take advantage of the fact that this approach is unable to detect an attack that has never been seen before in the past. Even when attacks were discovered, they could slightly modify their content in order to evade known threat signatures and slip under traditional threat detection radars.
What is predictive threat detection?
According to a Converge tech report, predictive analytics can discover a data breach before it happens. Comparing the concept to a radar that shows the enemy approaching, the capabilities delivered by this technology can show companies when and where attacks may occur. Using this information, organizations then have time to ring alarms, deploy defense mechanisms, and even prepare for war against hackers instead of just waiting for a breach to happen.
The cyber security industry saw extreme value in not only identifying threats before they became a problem but also in making intelligent predictions about what might happen before the threat becomes active. This is a process that is nearly impossible to manage by human beings alone and is often compared to finding a needle in a haystack. For example, employee sentiment can be evaluated based on a series of aggregate behaviors such as exporting raw data, online job application activity, key job-hunting words in emails, and more. Using this insight, the technology can predict potential resignations, data theft, and other undesirable activities.
What value can predictive threat detection provide?
Thanks to this evolution, not only are companies able to predict threats before they become a problem, but they also cut down investigation times when it matters the most. When an incident or attack occurs, AI-based solutions can more quickly and accurately answer questions that can sometimes take weeks or months for a human being to uncover and understand. These advanced investigation tools can help organizations understand who, what, when, where, and possibly even why a breach happened. By mining a variety of data sources, including prior alerts, network traffic information, asset inventories, security logging data, and other relevant points - clusters, associations, and patterns can be discovered. Those are then shared with human investigators who can leverage the insight to make informed decisions. These advantages can also apply to the incident response process. Artificial intelligence-based techniques, such as knowledge engineering and case-based reasoning, can be used to create incident response playbooks that dynamically help incident responders navigate actions required in the event of an incident. By considering prior events and codified insight from cyber professionals, the technology can modify or generate new branches in the central playbook as it learns from new incidents.
What are some challenges associated with predictive threat detection?
One challenge companies are facing with predictive threat detection is that this is still an evolving and maturing space, and tools that can provide such capabilities reliably are limited. While many vendors are currently researching how to deliver on these capabilities, Veriato has already been recognized as a company to watch in this space based on its advancements in intelligent monitoring technology.
Another challenge is that cyber attackers also create attack methods that are based on artificial intelligence. There is a concern that as we leverage AI and work to predict threats, the cyber attackers will continually leverage the same artificial intelligence technology to adapt their attacks and dynamically circumvent detection methods.
Relying on reactive threat detection is no longer an acceptable cyber security strategy. Threats continue to advance and evolve, and in response, companies must do a better job of not just proactively identifying threats – but increasing the ability to predict what will happen next.