Contextualization in Security Analytics

Written by: RANK Software  |  May 4, 2016

Not IF but WHEN you get attacked
Security Breaches are everywhere, everyday. In an environment where 100% of threats can’t be prevented and excessive false positives is a major pain point in forensic analysis, determining the context of a threat across the network is imperative to success.

Real Time Contextual Analysis
Much of the thought leadership in cyber-security is moving to the belief that all threats cannot be prevented. The need therefore is for Rapid Detection and Rapid Response — for threat detection systems to be able to forensically analyze intrusions and quickly determine the severity of a threat. To do so, context is vital.

In typical threat appliances available today, one can see the infection of systems but one can not easily mine the deep context: trace the infection vector, analyze what actions occurred after the infection, determine lateral movement and determine the incident impact (impacted users/systems/applications/assets etc).

Real Time Context is determined by real time enrichment of data and Domain Rules, from multiple data sources in real time. This needs to be co-related with User and Application Behavioural Profiling so that each asset (machine or person) provides a relevant context based on their unique situation. Combining the real time context of a potential intrusion, with the behaviour profile provides analysts with information that allow them to differentiate between what is anomalous and malicious, as well as combat both internal and external threats.

Contextualization in other realms
Localized search results, hyper local recommendation algorithms, targeted advertisements, location-aware retail recommendations and retargeting cookies, are various examples of successful contextualization approaches that most of us are very familiar with in our myriad interactions both online and in the real world.

These contextualization techniques are based on a variety of machine learning and behaviour profiling algorithms that are expertly tied together to generate the right results.

Security Platforms need to implement the same kind of supervised machine learning that can determine what to look for when assessing immediate threats and anomalies. A successful SSH breach at 2pm on a Monday occurring within the enterprise could be a false alarm, whereas a successful SSH breach at 4am on a Sunday originating in China and impacting the enterprise’s CFO could be potentially way more serious. Context Matters! As Enterprise Security moves from reactive to proactive, platforms based on machine learning and automated forensics will provide a new weapon to defend against intrusions. Technology based solutions that combine the meaningful analysis of real time and historic information and assist the decision maker in combating threats are a step in the right direction.