Sponsored By

Enhanced analytical capabilities will help organizations better understand how attacks will unfold, and how to stop them in their earliest stages.

Vincent Weafer

April 15, 2015

3 Min Read

Prediction is as old as humankind, as we’ve search for clues to the future. Big data, computer models, and sophisticated algorithms have brought us much closer to accurately predicting things such as actuarial tables, inventory levels, and financial behavior. These tools help with pricing, manufacturing, and application approvals. Advanced analytics can also help security analysts understand the probable path of an attack and enable faster actions to contain or even stop it before it becomes a serious threat.

Security officers already bear some responsibility to predict threats, which affects budget, purchase, and staffing decisions. They use available information on today’s threats to prepare for tomorrow’s, on a broad scale. But how do you predict and respond to a single serious attack amid all of the day-to-day noise in a way that is actionable and sustainable?

Effective prediction requires a large amount of data from a range of activities, including normal behavior, historical events, and third-party intelligence. The bad news is that the sheer volume of security data we are collecting is already overloading the ability of human analysts to interpret. The good news is that this is exactly what predictive analytics needs to crunch through and present in an actionable format.

To use a simple example, you have data from a historical attack that used several IP addresses and domains. Those addresses are already flagged as malicious, but you investigate and find that there are another 200 domains with the same owners. Adding those domains to the watch list gives you an early warning that, if any of them is being accessed from your network, you are probably seeing the beginnings of a new attack.

This example is admittedly simple, and there are significant barriers to overcome before predictive security analytics becomes commonplace. The ability to distinguish between suspicious and malicious, to determine if someone has a weapon and is not merely loitering outside, requires more context about the data. Where did this information come from? How old is it? Why was it marked malicious? A threat intelligence exchange model can provide this much-needed context, sharing threat information in real-time among partners, other companies in the industry, security vendors, and government agencies.

Incomplete Alerts

Even with context, the alerts from predictive analytics are still going to be incomplete. They are not going to deliver the same certainty as matching a malware signature or known bad IP address. What they will do is provide enough probable cause for protective actions to start earlier, before you have all the details of the attack.

Is the market ready for these tools? Not quite. Most customers I meet with are so busy with collecting data for compliance and regulatory use cases that predictive analytics are an aspirational goal. But these organizations are slowly building the foundation needed for prediction by increasing integration and automation of their security forces. These foundational abilities include real-time hunting, prioritization, and scoping of security incidents seen in their environments. Blocking decisions are being made automatically, based on policies and increasingly detailed profiles of normal and abnormal behavior. And we continue to work with our industry partners to respond to rapidly changing and evolving attack patterns with tools that are smart, integrated, and adaptive.

Enhanced analytical capabilities will help those on the front lines better understand how attacks will unfold, and stop these strikes in their earliest stages.

About the Author(s)

Vincent Weafer

Senior Vice President, Intel Security

Vincent Weafer is Senior Vice President of Intel Security, managing more than 350 researchers across 30 countries. He's also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent's team is dedicated to advancing the research and intelligence gathering capabilities required to provide the latest protection solutions in malware, host and network intrusion, email, vulnerability, regulatory compliance, and web security.

Vincent has an extensive range of experience gained over 25 years in the information technology industry, including 11 years as the leader of Symantec's Security Response team. He is also a highly regarded speaker on Internet security threats and trends, with coverage in national and international press and broadcast media. He has been invited to testify on multiple government committees including the States Senate Committee on the Judiciary hearing on Combating Cyber Crime and Identify Theft in the Digital Age in April 2010, the United States Sentencing Commission's Public Hearing on Identity Theft and Restitution Act of 2008 in March 2009, and the United States Senate Committee on Commerce, Science, and Transportation on Impact and Policy Implications of Spyware onConsumers and Businesses in June 2008. In addition he has presented at many international conferences and was a committee member of the IEEE Industry Connections Study Group (ICSG) 2009-2010, and has also co-authored a book on Internet Security.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights