Applying Machine Learning to Threat Detection
Breaking down the differences between the math-led and security-led paradigms and explaining why security-led ML provides optimal results for security teams.
Mathematics-Driven Machine Learning: a Flawed Approach to Threat Detection
In the math-led paradigm, data scientists use basic statistics and generic algorithms to identify outliers and new patterns. By combining these statistics, security researchers develop multiple statistical rules. When a new statistic is needed, the same approach is used to create it. However, this generic approach can lead to sub-optimal performance, so additional filters are added to address any detection issues.
Let's use a real-life scenario to illustrate how we can identify a command-and-control channel. Our data science team can analyze the frequency of external domains and determine how rare they are. Then, it's up to the security research team to set a threshold for identifying a C2 channel. If a large number of domains used by IoT devices are above this rarity threshold, we would need to apply a suppression filter to ignore all IoT devices. We can also apply additional suppression filters to user agents, subnets, and other attributes, as needed, to reduce the number of alerts to a manageable level. It's important to note that while this approach has its advantages, it also carries the risk of blocking an attacker's evasion technique, so we must be cautious.
Security-focused Machine Learning: Maximizing Coverage with Minimal Noise for Threat Detection.
The security-led approach is a highly effective method for solving security problems. Instead of solely focusing on specific tools or exploits, security researchers define the problem by looking at a broad range of attacker methods. They then collaborate with data scientists to find the best algorithm for identifying those methods. This approach goes beyond simply detecting anomalies and directly targets the attacker methods themselves.
Not only does the security-led approach lead to better performance in terms of recall and precision, but it also proves to be resilient against changes in attacker tools. This means that security teams can operate more efficiently with fewer detection types. Whenever a new attacker method emerges, the security-led process kicks in, and a new detection method is created.
While this approach may require some additional development time, it is worth it because attacker methods tend to change slowly and coexist with older, already covered methods. This makes the security-led approach a reliable and effective strategy for threat detection.
Vectra has spent more than 10 years researching and developing a cutting-edge technology called Attack Signal Intelligence™. Unlike other approaches, Vectra's AI analyzes and prioritizes the most critical threats tailored to each individual customer's environment.
Vectra AI's ML-Powered Threat Detection Platform
Threat detection with confidence and context
Alert in real-time on attacker methods in action, using advanced ML algorithms ranging from deep learning neural networks to hierarchical clustering.
Unified threat correlation and prioritization across your hosts and accounts
AI finds and prioritize threats across your business and attributes active attacks to joint cloud and network accounts, host machines and IAM users.
Efficiency: Reduce time, cost, and complexity
- Reduce SIEM costs and maintenance
- Automate everyday manual tasks
- Optimize existing EDR, SOAR and ITSM
Stop attackers in their tracks with targeted native response capabilities
Automated and on-demand orchestration isolates compromised hosts, disables attacker-controlled accounts, and pauses infected cloud workloads without operational impact or downtime.