The sheer volume of potential threats to your networks and systems today is mind-boggling. The amount of fairly innocent interactions that can cause huge issues down the road dulls the senses and creates a potential issue with SecOps teams. How can humans possibly keep track of it all?
Worse yet, when we do find something and close those holes we open ourselves up to even more nefarious infection and attack vectors. It’s easy to be floored by things like OILRIG DNS Tunneling or UEFI-level malware attacks because they sound so fantastic that we can’t comprehend them. But now that we know about them, the nefarious actors have to become even more creative to avoid our systems. The next amazing attack won’t come from a vector that we’re expecting at all. How can we defend against something we can’t even imagine?
Intelligence From Interactions
I had a chance to talk to Gilad Peleg, CEO of SecBI during Black Hat 2019 this past August. Gilad and I talked a bit about the problem above. The volume of innocent looking but technical sophisticated attacks has accelerated in recent months. We’re not just dealing with script kiddies launching attacks and trying to knock our servers offline. Instead, SecOps teams are fighting an ongoing battle against bad actors that want to penetrate the perimeter of the network and persist over months, gathering information and exfiltrating it for unknown purposes. The “fun” of hacking has been replaced by the cold hard truth of business and crime.
Mr. Peleg told me all about how SecBI is trying to stem that tide with a little help from machine learning (ML). ML is a huge buzzword in the security space thanks to the idea that computers can magically make any SecOps team more useful and clairvoyant. However, that’s not entirely the case with modern ML systems. There are two distinct differences in the way that modern ML operates.
Machine learning systems often default to supervised mode. Supervised ML systems need people to label data to provide context for the learning algorithms. The most common example of this is an ML algorithm that is trained to detect faces, which is the “Hello World” for nascent ML platforms. You tell the system what a nose looks like and what an eyeball looks like and then feed it a database full of faces and turn it loose. The platform runs and then starts figuring out the difference between a lamppost and a face and soon enough can figure out if a face is on a poster or person.
Supervised ML systems are great if you know exactly what you’re looking for. If you have a specific pattern you’re trying to match you’ll be up and running in no time. But what if you don’t know what you’re trying to find? The problem with modern attack vectors is that you can’t always figure out the pattern you’re trying to search for!
SecBI uses unsupervised machine learning instead. Unsupervised ML doesn’t use tagging of attributes to look for patterns. Instead, it uses things like cluster analysis and density-based grouping to discern patterns in data. Instead of telling the system what a face looks like, it instead feeds it a whole bunch of faces and asks the system to figure out where the patterns are with regard to the common data. Then, the platform uses unsupervised learning and comes back with what it thinks are the answers. Unsupervised systems are where you start getting fun little data points like Pop Tarts increase in sales volume over seven times ahead of hurricanes. You wouldn’t know to look for that data point so it takes unsupervised algorithms to find it for you.
ML In Practice
Using this unsupervised approach, SecBI starts teasing out the important data points that might otherwise get buried in the noise of your SecOps platform. For example, it may see a suspicious-looking email enter the system and make a note. Then, the outbound web proxy blocks a connection to a known-bad site from the system that has a user logged in that received the email. Normally, the SecOps teams would say “job well done” to the proxy and move on. But SecBI knows that these two events are somehow related and could cause issues down the road. The data inferences drawn from the ML engine are too important not to do something about.
That’s where SecBI can go into action to help your SecOps teams. SecBI can integrate with a variety of Security Operations Center (SOC) tools to help augment the response. Want to push a policy down to a Palo Alto edge firewall? Done. Push the data from your investigations in Splunk for a more Security Orchestration, Automation, and Response (SOAR) type of solution? Easily done. They even integrate with tools like Cylance and Crowdstrike to reach out and clean the junk off the endpoint so you don’t have to worry about it infecting anything else on the network.
All of this runs in the cloud on on-prem for those that need those capabilities. It’s all licensed by the amount of data that you feed it so you consume only what you need to. But what about companies that don’t want to own this whole thing and would rather have someone feeding the data into their SIEM or SOAR solution? That’s where SecBI is embracing the model of the Managed Security Service Providers (MSSPs). SecBI has an MSSP offering so you can partner with someone to do all the heavy lifting and give you the benefits of SecBI’s expertise for a monthly line item on your SecOps OpEx budget.
Bringing It All Together
SecBI is leveraging machine learning for something actually useful. I’m one of the biggest cynics when it comes to “sprinkling” ML on everything in an effort to attract venture capital investors. Unless ML actually has an impact on what the product does I’m more likely to laugh and find the holes in your solution. But thanks to my talk to Mr. Peleg at Black Hat I can see that SecBI is doing some very interesting things in the security space to make life easy for SecOps teams. I look forward to seeing more successes from their team.
For more information about SecBI and their machine learning and MSSP offerings, make sure you check out their website at https://www.secbi.com