Cybersecurity incidents are among the greatest concerns of businesses, government agencies, and private citizens today. In the modern world, protecting our data and information assets is nearly as important as maintaining the security of our physical assets. It should not be surprising, then, that data analytics play a key role in cybersecurity. Analytics and machine intelligence, a field concerned with producing machines able to autonomously perform tasks that would normally require human intelligence, can drive an organization from reactive to proactive when coupled with organizational change. This capability enables organizations of all types to move from simply measuring signals (data), to creating sentinels (machine learning algorithms), and then moving ahead to sense-making (actionable machine intelligence).
Extracting meaningful signals from mountains of data
The quantity and complexity of digital network information has skyrocketed in recent years due to the explosion of internet-connected devices, the rise of operational technologies (OT), and the growth of an interconnected global economy. With exponentially multiplying mountains of human- and machine-generated cybersecurity data, the ability to extract meaningful signals about potentially nefarious activities, and ultimately deter those activities, has become increasingly complex.
In other domains, such as marketing and e-commerce, businesses have been able to effectively apply data mining to create customer “journeys” in order to predict and recommend content or products to the end user. However, within cybersecurity operations, the ability to map the journey of an analyst or an adversary is inherently complex due to the dynamic nature of computer networks, the sophistication of adversaries, and the pervasiveness of technical and human factors that expose network vulnerabilities. Despite these challenges, there is hope for making meaningful progress. E-commerce marketing and cyber operations share one significant factor—the primary actor is a human being, whose interests, intents, motivations, and goals often manifest through their actions, behaviors, and other digital breadcrumbs.
Instrumenting advanced analytics for improved defenses
For modern cybersecurity operations to be effective, it’s necessary for organizations to monitor diverse data streams to identify strong activity signals. This includes monitoring network traffic data to find well-known patterns of common adversary activities, such as data exfiltration or beaconing. While these detection techniques are critical to cybersecurity operations, it is imperative to leverage such signals to predict future activities. Further capabilities could even be created to modify the behavior of the actor (or analyst) to the benefit of the organization and mission. This could include systems on networks that are trained to autonomously take action, such as blocking access to resources or redirecting traffic, based on a predicted behavior.
Modern attackers are too agile and creative for organizations to rely on passive descriptive analytics or reactive diagnostics techniques for protection. Rather, building an ability to forecast future outcomes through predictive analytics that utilize prior knowledge of events, particularly the precursor signals evident before an attack, are proactive measures. Operations centers can use machine learning models to build predictive analytics to guide defensive actions to prevent the event from occurring, or to neutralize its consequences. Examples of predictive approaches include active risk scoring methodologies, or using emerging trends data from cybersecurity incident reporting services to predict new attacks. By modeling patterns in data, it is possible to generate early warning signals in live network data that provide valuable lead time to mitigate vulnerabilities and stop a compromise before it occurs.
The next step up the analytics ladder is prescriptive analytics, which is the ability to map out what could be done to change a previously predicted undesired outcome. Fusing multiple data sources provides insight into what motivations, treatments, or conditions can be set proactively to move the user (i.e., analyst, threat actor) onto a new, more optimal trajectory that minimizes risk of compromise. Since the human actor is the common feature in most uses cases, it is unsurprising that the application of human behavioral sciences should be a common approach for prescriptive analytics. Data are being collected everywhere in nearly every human interaction, and insights gleaned from digitally monitored behaviors of threat actors can be used to gain the upper hand. This capability includes steering an actor away from sensitive assets and enabling offensive actions to deter current and future incidents.
Finally, the emerging field of cognitive analytics, which conceptually simulates human thought processes, considers all data streams (e.g., cyber network, social networks, global events, and any other contextual data) to see the big picture and gain understanding as to the right action to take at the right time in the right place. This ability may seem like a nebulous concept but is achievable with the data most organizations have on-hand already or to which they can easily get access. Generating the “360 view” of a situation changes the game by prompting new questions: what would a threat actor do in these circumstances? Where would a threat actor likely attack? Who is likely to be involved? How will they react to our defenses or countermeasures? Given a set of global events, what would a potential cyber actor be motivated to accomplish next? The real dramatic difference from early-stage descriptive analytics and mature-level cognitive analytics is this: in the former, the analytics are applied to answer prescribed known questions; in the latter, the analytics are applied to generate new unknown questions.
While each of these technical capabilities will be game changers for most organizations that invest in them, many groups will be unable to get to the starting line. An organization lacking a modern culture, job roles, leadership functions, and processes will cause most machine intelligence implementations to fall short of expectations. This may seem like a grim outlook, but it’s critical to develop an ecosystem that can nurture advanced analytical capabilities to ensure their success.
Organizational requirements for embracing machine intelligence
The structure and function of an organization are equally as important to the success of machine intelligence as the technology itself. A strong, flexible organization can turbocharge analytical capabilities by giving staff the freedom to innovate and the support required to operationalize analytics.
Foremost, organizations should build a culture of experimentation with democratized access to data. Data science shouldn’t be limited to research teams, but rather should be pervasive in an organization to enable more data-driven decision-making. To build such a culture, organizations should begin at the top by placing senior technical leadership in positions to steer the integration of machine intelligence capabilities into the enterprise, and institutionalize job roles focused on infusing it throughout the organization. Leadership should empower groups to gain insights and take action from analytics; the best analytics are those that build equity from the whole team, including cybersecurity experts, software developers, and data scientists.
Next, the organization needs to create opportunities for technologists, scientists, and engineers to have fun in the pursuit of creating high-end capabilities that make an impact to the cybersecurity posture. This includes sponsoring events like hackathons and competitions, where domain experts can interface directly with data scientists to quickly churn out new concepts. Pairing such events with recognition, rewards, financial incentives (and free pizza) will instill a sense of pride and caring about the impact to the institution. Talented personnel with the right skills to build “the right” machine intelligence capabilities are tough to find, so putting in the time to attract and retain those individuals is key to an organization’s success.
Lastly, organizations must apply concepts and processes that work well in other domains, and they must embrace an agile mindset. A fail-fast (i.e., learn-fast) environment will help to build iterative and incremental models that start small and mature over time. Rather than spending months or years building a monumental algorithm, project leaders should set short-term attainable objectives such as a minimum viable product (MVP) at each stage of development, then build proofs of value (POV). This approach will allow for incremental impacts to be made to cybersecurity quickly, rather than waiting a long time for some monolithic product that is already outdated when it finally gets integrated into the environment.
Many organizations might be hesitant to embrace machine intelligence as a core tenet of their business or mission operations. Organizations can start by automating routine tasks; this will free up time for subject matter experts and technical staff to focus on higher-order thinking and building advanced capabilities. From there, utilizing readily available data sets, they will be able to integrate well-known technologies as a foundation to build machine learning applications. A vast amount of research and experimental data is available for organizations to jumpstart a machine intelligence-driven approach to cybersecurity. Teams can compile use cases based on current cybersecurity challenges, and identify gaps in data collection and technology, creating a roadmap for the organization to direct capability development activities.
Ultimately, by integrating machine intelligence into cybersecurity business and mission operations, organizations will move past the frustrations that come with continually reacting to fait accompli infiltrations. They will advance to the satisfaction of achieving proactive insights and sense-making across a complex landscape, and thereby get ahead of cyber threat actors.
This post is part of a collaboration between O'Reilly and Booz Allen Hamilton. See our statement of editorial independence.