Blog AI & ML

Triaging Security Using the Network with Machine Learning and Artificial Intelligence

Steve Smith Director, Product Management Published 28 Mar 2019

When a major catastrophe happens, hospitals require emergency responders to begin prioritizing the trauma victims prior to arriving at the hospital. Once at the hospital, nurses review the recommendations of all the emergency responders (as each emergency responder may consider their patient requiring treatment sooner than someone else) and re-prioritize the trauma victims.  All this information is provided to the doctor, who will make the final decision on the priority list. Those in the medical field recognize this process of setting the treatment order of patients or casualties as triage.

What would happen if we could automate this function; where the trauma patient is placed on a smart gurney and their vitals are gathered, fed to a receiving hospital, and prioritized for treatment based on their ailments. The benefit could be tremendous; freeing up time for nurses and doctors to treat patients, rather than assessing and prioritizing them.

The above example is similar to automated networks. With the use of Machine Learning (ML) and Artificial Intelligence (AI) technologies, the network could be self-provisioning, self-diagnosing, and self-healing. Networks would also optimize costs and power consumption, anticipate future failures, and self-configure to mitigate or avoid service impact.  One of the biggest benefits would be to provide the network operator more time to focus on items that require their in-depth attention, rather than “fire-fighting”.

But what if we were to apply these same capabilities to security, based on what is seen in the network? The network edge is the point where an organization and its customers meet, where users engage, Internet of Things (IoT) devices connect, mobile transactions occur, and it is the first line of defense against cyber-security attacks. 

One of the best examples for the need of automated security analytics with remediation is the Target Breach of 2013.   According to the detailed report on the breach, the attackers first gained access to Target’s network on November 15, 2013, with a username and password stolen from Fazio Mechanical Services, a Sharpsburg, Pennsylvania-based company that specializes in providing refrigeration and HVAC systems for companies like Target.  Fazio apparently had access rights to Target’s network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores. 

Get the latest stories sent straight to your inbox!

The attackers leveraged the access provided by the Fazio credentials to move about undetected on Target’s network and upload malware programs on the company’s Point-of-Sale (POS) systems.  The hackers first tested the data-stealing malware on a small number of cash registers and then, after determining that the software worked, uploaded it to a majority of Target’s POS systems.

Between November 27 and December 15, 2013, the attackers used the malware to steal data on about 40 million debit and credit cards in the United States, Brazil, and Russia. 

Similar to the smart gurney example, security analytics with ML and AI-based IoT behavioral anomaly detection in the Target instance would have detected the first change in behavior on the POS, (when the attacker loaded malware into them).  At this point, security analytics would begin automated remediation, start a PCAP, and alert and create a trouble ticket on the devices with the malware. As these devices tried to exfiltrate data, security analytics would detect this change and begin automated remediation that would quarantine all devices exhibiting this exfiltration. 

Security analysts are tasked with deciphering security alerts found in the network.  This is a tedious task and requires them to dedicate their time to the alerts that have the highest priority based on the logs they receive.  Depending on the information provided to the security analyst, they may detect the problem much later in the breach cycle.  Security analytics with automated remediation remove the burden for the security analyst by prioritizing the alerts, gathering the necessary data, and using automated remediation to stop the breach.  Security analytics allow the security analyst more time to focus on items that require their in-depth attention, rather than “fire-fighting,” while helping contain the onset of a breach.   

Related Enterprise Stories