Part of getting a little older is the acceptance of one’s own shortfalls. That’s a lesson hard learned by cybersecurity professionals, a group of people who know without a doubt that despite their best efforts to protect the organization, its users, and resources, their protective layers will be penetrated at some point.

Clearly, the cybersecurity pro will do everything in their power to prevent a successful breach, but part of the role is learning that it’s impractical to tighten access to the organization’s resources to the point at which no one can get anything done.

While we’re not hunting around for excuses, it’s a truism that, like costs, the biggest source of security issues walks around on two legs. In most recent cases of successful cyber-attacks, the majority are caused by the people that work in the institution. Given these facts, the function of cybersecurity includes a degree of prevention but also significant degrees of detection and remediation.

The biggest breakthrough in cybersecurity in recent years has been the use of machine learning to detect when a breach has been successful. It’s not a simple process, but most attackers’ methods come from the same set of playbooks or recognizable variations on those. Speaking recently exclusively to Tech HQ, Chris Fisher, Head of Security Engineering at Vectra AI, shared with us some of the current thinking and methods of using ML in cybersecurity.

We began by talking about anomaly detection in network traffic: surely network traffic emanating from malware causes alarms to go off when it’s detected? Not necessarily, Chris said, for several reasons. The process of base-lining normal behavior can be highly problematic. “Attackers know how to get around anomaly detection. They’ll mask their activities so that they can make it look like it’s part of the baseline. [As an example,] command and control will tend to look like it’s beaconing — on the network, you’ll see these periodic spikes of traffic. And that’s step one. But step one also includes every mobile application that ever existed under the sun, because push notifications look exactly the same.”

Vectra’s approach avoids the problem of machine learning’s supervised or unsupervised bedding-in by first addressing which specific security problem that needs to be solved. “So if you’re trying to solve a security challenge, you need to understand what’s the problem you’re solving first. And the approach that we take is to start with our security researchers to identify the problem. It could be something like, I want to find the attacker’s command and control in HTTPS web traffic. And we’ll work with a data scientist to understand, the best method to solve this problem. Is this a classification problem? Or is it an anomaly problem?”

That approach, where there’s an implicit acceptance that every network is different and requires different solutions, suggests that the platform is wildly expensive. And after all, which (now) massively distributed network (home working, multi-cloud, SaaS instances, and so on) isn’t dynamic?

But according to Chris, an attacker’s one saving grace is that they are following the same type of procedure, regardless of specific network topology. Indeed, to a bad actor, there’s no distinction between an internal LAN, a local data centre, and any number of remote clouds — to them, it’s just one network. Their desired outcomes are the same, and therefore, there’s a great deal of standardisation in terms of infiltration, self-propagation and travel, command and control, credential harvest, data exfiltration, encryption, and so on. By absorbing attackers’ playbooks, the Vectra AI algorithms can see the patterns and respond accordingly.

What has changed is the attack surface on which attackers can operate — that’s got much larger since remote working, greater cloud service usage, a larger number of services required to get a day’s work done and other factors like the increasing presence of IIoT and IoT on TCP/IP networks. The expanded attack area is one of the subjects ably explored by Gartner Security Operations Hype Cycle document (available here).

Regardless of where the attack is from, and via which mechanism attackers gain a toehold, there are some giveaways as to the presence of malicious actors, of course. Fisher told us: “The relationship between the attacker and the endpoint that sits on the inside always looks reversed from what an end user would have with a server at the other end. […] For command and control to happen, it’s the reverse, it’s always the attacker initiating, with the client on the inside of the network responding.”

Plus, knowing, for example, the MITRE ATT&CK framework helps identify rogue behavior. “Vendor A will say this is Trojan XYZ, vendor B will say this is Botnet 123, Vendor C will say…and so on. But having that MITRE framework gives us consistency.”

The tooling may be smart, but organizations shouldn’t infer that the cybersecurity personnel no longer have to be skilled. Any cybersecurity tool still relies on expertise to use it properly, to bring human insight into what is a highly dynamic set of results. The Vectra dashboard is not designed to be driven by novices; rather, it helps qualified personnel do their jobs more efficiently and, critical in the inevitable breach situation, react so very much faster.

As a secondary advantage, there is the fact that users of Vectra don’t necessarily have to come to the platform with 10+ years’ experience under their belts. “We’re really amplifying the signal to noise. So we’re going to provide a huge amount of signal that comes in, and it’s clear signal. It’s not like there’s just lots of detections going on all over the place. We designed to bubble up the most critical entities in your network helping you prioritize what poses your business the highest threat.”

Experience gained ten years ago will remain relevant, but the nature of the network has changed extraordinarily and will continue to evolve. “I think for me, this definition of network needs to change. Most people look at [the network] as data centre but it is far more than that. I believe providing really, really clear network signal is critically important. We must make sure that we’re looking at the cloud technologies as well. […] Whether it’s infrastructure as a service, platform as a service, software as a service, and data centre; to give you visibility of the complete attack surface to be able to track attackers as they pivot from one to another,” Chris said.

To learn more about the Vectra AI platform and how it can change the way you operate and staff your SOC, get in touch with a representative near you to discuss your existing stack and how smart systems can help detect trouble when it happens.

About Vectra AI

Vectra is the leader in cyber threat detection and response for hybrid and multi-cloud enterprises. The Vectra platform uses AI to detect threats at speed across public cloud, identity, SaaS applications, and data centers. Only Vectra optimizes AI to detect attacker methods—the TTPs at the heart of all attacks—rather than simplistically alerting on “different”. The resulting high-fidelity threat signal and clear context enables cybersecurity teams to respond to threats sooner and to stop attacks in progress faster. Organizations worldwide rely on Vectra for cybersecurity resilience in the face of dangerous cyber threats and to prevent ransomware, supply chain compromise, identity takeovers, and other cyberattacks from impacting their businesses.