Security Embraces Advanced Analytics and Machine Learning

The security threat landscape continues to evolve not just in scale, but, more importantly, in sophistication. Despite a range of advancements in the industry to safeguard against increasingly bold and intricate threats, organizations have struggled to keep pace with the technologies and techniques employed by those responsible for such attacks.

As companies continue to increase their digital footprints, “identify and diagnose” capabilities are not enough to remediate against a growing fundamental business challenge for organizations of all shapes and sizes.

We spoke with Avivah Litan, vice president and distinguished analyst at Gartner, about the development of advanced security analytics and important considerations for organizations looking to implement machine learning to defend against an array of internal and external security threats.

How are analytics and machine learning changing the current security landscape?

Advanced analytics have been included in fraud detection applications for more than 20 years, when credit card systems started using neural networks to detect fraud. In sharp contrast, advanced analytics using machine learning have been lacking in the world of enterprise security until the past few years, when organizations realized their current security systems were unable to mitigate the ambush of breaches.

The solutions available today are generally limited to descriptive and diagnostic analytic capabilities that require manual human intervention. They are unable to effectively respond to the growth in big data, particularly unstructured and hybrid datasets.

To accommodate the relative shortcomings of security information and event management (SIEM) products that offer broad-scope rule-based security monitoring, there has been a surge in products that provide advanced analytics around user behavior and other entities, such as endpoints, networks and applications or user and entity behavior analytics (UEBA). Together, UEBA and SIEM solutions can more effectively detect and manage threats across discrete networks and applications.

“ The important thing to remember is that sophisticated criminals will find a way to use social engineering to circumvent even the most sophisticated advanced analytic security systems.”

How will advances in analytics and machine learning impact the security market moving forward?

We have yet to see packaged prescriptive analytics offerings that automatically address and remediate detected threats, and we don’t foresee these coming to the market in earnest until 2018. The types of data ingested by analytics packages are becoming more complex, evolving from structured to hybrid data containing text, objects and things. The market is evolving to offer packaged applications employing predictive and prescriptive analytics.

We expect UEBA functionalities to be incorporated into at least 50 percent of major SIEM vendor solutions by 2018, while 25 percent of security products used for detection will have some form of machine learning built in. Perhaps the greatest achievement will come in the form of prescriptive analytics deployed in UEBA products. We anticipate at least 10 percent will be in a position to effectively automate incidence response by 2018, up from zero today.

What are your recommendations to security managers looking to insulate their organizations from potentially crippling cyberattacks?

The important thing to remember is that sophisticated criminals will find a way to use social engineering to circumvent even the most sophisticated advanced analytic security systems. Just as hackers managed to circumvent advanced fraud analytic systems in the banking world through social engineering tactics, so too must we expect that they will employ such workarounds in the enterprise security arena.

Organizations should focus on specific use cases for security and threat monitoring in order to determine the optimal advanced analytics product. Ideally, the selected vendor for your targeted use case can get up and running (with initial test results) within a few weeks. While the goal of packaged analytics is to reduce the amount of worker-hours spent on monitoring, your staff should also be in a position to effectively manage the outputs from the systems and know how they integrate with pre-existing security monitoring applications.