Report: Data Science, Machine Learning and Behavioral Analysis Help Identify New Security Threats

• By Leila Meyer
• 12/08/15

Automated network threat detection tools that use data science, machine learning and behavioral analysis can work together with traditional perimeter security methods to help organizations meet the security goals defined in the CIS Critical Security Controls recommendations and protect themselves from attackers, according to a new report from the SANS Institute.

"The Expanding Role of Data Analytics in Threat Detection" describes how automated threat detection tools can support traditional security methods by monitoring performance of network traffic, CPU usage and port activity for unique events or trends, as well as monitoring abnormal behavior of end users and applications to identify potentially malicious activities.

In a research project sponsored by Vectra Network, the SANS Institute found that modern cyber attacks occur in three phases, which may take months to play out. In the first stage, attackers penetrate a network and establish a foothold, typically through a combination of social engineering and malware, as in the case of an e-mail phishing attack. In the second stage, the attackers adopt legitimate user credentials or create new ones that let them escalate their privileges and move laterally within the network. In the final phase, attackers steal intellectual property, identify information or financial data.

"These people have patience," said Sean Michael O'Connor, assistant chief information officer at Worcester Polytechnic Institute. "In the past the bad guys were the kids trying to poke around and figure out how our system works. Now it's a lot more serious. The acquisition of our university's data is somebody else's business model. That's how they make money. And once these people get in, they want to stay in as long as they can to elevate their privileges and to acquire as much data as they can about your company or about your people and then take it out. So once they're in, identifying that they are in is crucial to making sure that you shut these guys down before something bad happens, and before they acquire that data."

The SANS report identifies three methods of detecting network attacks. The first and most common method is signature-based or misuse detection, which watches for patterns of events specific to documented attacks and uses this information to identify intrusions and viruses. However, this method can only identify documented threats. The second method is anomaly or behavior-based threat detection, which creates models of normal behavior for networks, systems, applications, end users and other devices and then looks for deviations from those patterns of behavior. The third method is continuous system health monitoring, which involves actively tracking the performance of key systems to identify suspicious activity or resource usage.

The report goes on to explain how organizations can take advantage of automated tools that use machine learning, data science and behavioral analysis to help identify and eliminate threats that have evaded security at the network's perimeter. "This type of new cutting edge stuff that we're looking at is really helping us identify different things that we were missing within our own networks," said O'Connor.

Worcester Polytechnic Institute has just completed a six-month beta test of a security tool from Vectra Networks that detects lateral movement within a network and looks at the analytics and compares it to the university's baseline to identify anomalies, according to O'Connor. Based on the success of that test, the university has committed to implementing the system.

The Vectra Networks system has already identified numerous command and control anomalies on the university's network. "Right there, it's worth the price of admission, as they say, if you're going to start being able to detect things that you wouldn't see normally," said O'Connor. "When you first put the system in, you don't get a lot of anomalies up front because it's learning. It's learning about your patterns, your traffic flows, all that stuff that happens on the network and what their normal operations are. And then, maybe a couple of weeks to a month in, you start actually getting interesting data. You start going, 'now that's something I wouldn't have seen.' But now that we've had it in for six months, the stuff that we're seeing is really interesting. We wouldn't have caught that before."

"Keeping these bad guys at bay is really what we need to do, is what everybody is trying to do," said O'Connor. "This just gives us another tool in the arsenal that we've developed over the years to keep our institution safe."

The SANS report, "The Expanding Role of Data Analytics in Threat Detection," is available for download from the Vectra Networks site.