AI Business recently did an interview with LightCyber’s Executive Vice President, Jason Matlof about how they use machine learning to detect hackers prior to an attack.
Founded by cyber warfare experts, LightCyber is established to help security analysts answer the question: Would you know if an active attack was underway in your network? According to LightCyber’s Website : “their new approach to cyber security is a result to growing volumes of data breaches that confirm that it is impossible to prevent 100% of intrusion attempts towards ones network. The result is Magna, a new Behavioural Attack Detection platform developed with the recognition that targeted attackers can circumvent legacy threat prevention systems, and then operate with unfettered access to network resources – what we call the Breach Detection Gap. Magna provides accurate and efficient security visibility into advanced or targeted attacks, insider threats, and malware that have circumvented traditional security controls”.
Jason Matlof starts the interview with explaining why the data breach problem might seem difficult to solve, and why this may no longer be the case:
”The difficulty has primarily been in terms of re-orienting the approach to security. For the past 20 years, security has been about preventing attacks with a presumption that prevention could be comprehensively accomplished. While prevention is still necessary, practitioners must recognise that it is no longer sufficient. Organisations must acknowledge that motivated attackers will find a way into their networks. The new challenge is to detect an active attacker quickly before theft or damage to assets can occur”, Matlof says.
He believes the next major step will be to realise that the 20-year-old approach to security is not efficient enough in terms of detecting attackers.
”This “known bad” security model is based on statically-defined attributes, such as signatures, hashes, domains or a list of software behaviours—these things are geared to malware, but not very useful in finding attacker activity”, Matlof explains.
According to Matlof there is a much more effective technical approach where you profile all users and devices on a network so that you can detect meaningful attack anomalies. If you know where, and how to look for these, they can be identified, Matlof explains.
”So how does LightCyber use machine learning to solve the problem?”
We use unsupervised machine learning in our Magna appliance deployed directly in a customer’s network. With machine learning, we continually learn behavioural profiles of all users and IP-connected devices on the network to establish a rolling baseline of known good behaviour. As we are constantly updating the behavioural model, we are able to detect the anomalies and then determine if an anomaly is likely indicative of an attack. By focusing only on actual behaviours allows us to achieve a very high degree of accuracy while keeping the total number of alerts to a small, manageable number”, Matlof states.
As there are numerous companies turning to the assistance of machine learning, AI Business was curious to know how LightCyber’s use of this type of AI differs makes it unique?
“We have designed our Magna platform as a packaged solution that is fully automated – requiring no configuration, no policy creation, no external storage, and no algorithm tuning. It delivers anomalous attack alerts that are straightforward and meaningful. We don’t need to send the output of our machine learning to a staff of data scientists located in some remote centre to properly interpret what is going on. Our system is designed to be easily used by the customer’s security operations or IT team”.
LigthCyber does not only answer the “what”, but the “why”, too, Matlof explains:
“Another unique aspect is that besides the “what” we add the “why.” In other words, instead of just creating an alert, we provide the context of why it was flagged. We make it easy to see that it wasn’t just one anomalous event that triggered a response—instead it was the event in the context of what else Magna saw. This is essentially a “wood for the trees” kind of insight that understands not just a single odd-looking tree but is also cognisant of the other trees that have a peculiarity. The approach ensures greater accuracy and also provides automated research to make a security operator much more efficient and effective”.
As data is a crucial factor for the overall value that machine learning can bring, LightCyber have realised that it is essential that the system is able to detect operational activities of a potential network attacker.
“The best evidence of an active attacker comes from the network-based reconnaissance and lateral movement activities that an attacker must perform once they land in an unfamiliar network. Think about it; when an attacker gains access to a network, they need to learn about the network, find vulnerabilities and resources they can exploit and locate the assets. They also need to move from their initial foothold to a place where they can gain control of the assets. These operations involve lots of network activities, and there are numerous “signals” to observe if you are in the right place. Having access to full network traffic to and from the data centres and between computers is critical. To gain even greater accuracy and actionability, we use an agentless, on-demand technology to interrogate clients and associate a process on an endpoint with the particular network activity”, Matlof explains.
AI Business was curious to know the response from Magna’s users, particularly IT-and security professionals and how they experience applying the programme in their networks.
Matlof explains that what has stood out the most to Magna’s users is the level of visibility that the platform provides. “The reaction is basically, “I was essentially blind to network activities, but now I can see what’s going on for the first time”, Matlof says when quoting their customer reviews.
He believes the reason why they are positively surprised is that in contrast to other programmes, with Magna they can see the attacker activities and the ‘rogue insiders’. It allows the users insight to the viewing users that are unknowingly compromising the security of the company, such as risky behaviour and even malware that ‘slips between the cracks’ Matlof explains.
“The other common reaction is something along the lines of, “Magna hits me in the face with what I need to focus on”—the real threats and issues. One Silicon Valley company used almost those exact words when describing their experience. In addition, a healthcare organisation talked about the power of knowing whether or not there was an attacker in their network”.
“What are some of the main issues impeding the effectiveness of security organisations?”
One of the main problems is the institutional inertia around an exclusively threat-prevention oriented security model and the naïve hope that it will keep all attackers out all of the time. Another problem that the market must come to terms with is the inherent shortcoming of the pattern-matching “known bad” security models, and the need to complement them with the newer “learned good” models to detect behaviours of attackers that were not stopped at the front door. Another problem is just sheer noise and the paralysis it has created in most security operations. It is appalling how many security alerts face the typical organisation. People are buried under hundreds or thousands of alerts. Most of these are valueless—false positives springing from the known bad type of security tools.
“To be successful, organisations need their security systems to produce a small number of alerts with a high degree of accuracy. The analyst firm EMA describes a desperate need for accuracy and efficiency, especially given the shortage of security professionals to fill needed positions in companies and the degree to which individuals are vastly overworked”.
Exciting developments from LightCyber, and AI Business is certainly looking forward to following their development in the future!
You can find Jason on Twitter @jmatlof