Finding Unknown Threats with Anomaly Detection

By   ISBuzz Team
Writer , Information Security Buzz | Aug 20, 2014 05:03 pm PST

There is a wide array of advanced security technologies that organizations can deploy as perimeter defenses or vulnerability scanners to protect their valuable intellectual property and customer data. Yet, despite their best efforts, attacks and data breaches still happen. Affected companies have to spend a great deal of money to repair the damage to customers (and their reputation). One need look no further than the issues that retail giants like Target had last year to see how critical security is – and how costly it is when it goes wrong.

FREE Download: The Security Industry´s Dirty Little Secret

But this isn’t the late 1990s or early 2000s – everyone knows the importance of security. So how are these attacks still happening and getting in under the radar of existing security systems?

Looking Deeper for Security Issues

The problem is that the vast majority of these defenses employ a “known threat” approach. Elaborate services are deployed to keep IT security environments up to date on the newest malware, exploits and criminal enterprise tactics – but it all still boils down to scanning your environment for threats that are already known.

In the days when the typical threat came from hackers with a political or social agenda (or merely too much time on their hands), this approach may have been sufficient. Today’s security teams, however, face new, much more sophisticated threats that may be funded by foreign governments or advanced criminal enterprises. In short, the professional cybercriminals of today know the tools you have at your disposal and how to move around the “tripwires” that would signal their attack. Their actions are often designed to simply blend in with daily activities, or to complicate the efforts of existing security tools.

In fact, the cyber threat today is so great that most security teams who consider themselves prime targets work under the assumption that they have already been breached. The focus, in this case, moves to detecting the suspicious internal activities and/or the earliest signs of data exfiltration.

So how can you identify an unknown threat that has already breached your perimeter? Well, it is near impossible for a cybercriminal to reach their goal without leaving “fingerprints” in the form of anomalous behaviors.

Using Anomaly Detection to Uncover Intrusions

The good news is that the fingerprints in question can be found through analyzing data that is already being produced by your existing network, IDS/IPS and web proxy resources. In the past, the challenge was that the sheer volume of data generated dwarfed the capabilities of security professionals and their existing tools. But with the emergence of new unsupervised machine learning and pattern detection technologies come new analytics capabilities that allow even the largest organizations to scan this data as it is generated, providing the earliest possible alert of known and unknown threats. Advanced anomaly detection analytics constitutes a powerful tool to beleaguered security professionals in that it does not rely on human defined rules, signatures or models.

The other good news is that there are plenty of examples of how this technology is being used today to uncover unknown threats that were either impossible or took too long to find with previous approaches.

For example, a digital marketing enterprise that safeguards vast numbers of valid email addresses uses anomaly detection to scan thousands of servers every day for the presence of “unusual” processes that are connecting to the network. This is key because a midpoint in a successful breach is to establish a software beachhead on a networked server. The beachhead invokes a new process on the server that is, more often than not, unusual for that particular device. In the past, it was simply not possible to manually define “normal” processes for each of the thousands of otherwise unique servers. Machine learning, however, is ideally suited to this task and can easily identify a new and unusual process.

In another example, a large financial institution scans the web proxy logs that detail interactions with external internet sites. The web proxy devices are already configured with rules to identify and prevent connection to unauthorized or “known bad” sites. Anomaly detection, however, can take this a step further and identify “suspicious” connection activities. To prevent from adding to the already burdensome volume of notifications, the software produces highly accurate alerts by analyzing factors such as the sender, protocol, and destination location.

New technology often enables new approaches to existing challenges. Machine learning anomaly detection offers a new approach to safeguarding your organization that could make the difference between having a data exfiltration run for weeks and losing millions of credit card records,  and spotting it as it develops and perhaps only losing a few hundred.

Augmenting Analysis with Machine Learning

To catch data exfiltration before it’s too late, you need more than a team of data scientists – you need machine learning technology. Machine learning technology automatically learns an organization’s normal processes and interactions, analyzing patterns of behavior and looking for things that stand out – anomalies, variances or major outliers.

Organizations can effectively battle these forms of advanced threats – all but hidden from traditional security approaches – by aggregating their massive amounts of data from web server logs, access logs, user directories, authorizations, etc. and then using machine learning-based detection analytics to reveal the anomalies that lead to an intruder’s fingerprints.

Machine learning works by continually establishing baselines for comparison. As new behaviors present themselves within an organization – and then become accepted – the machine learning technology constantly refreshes and evolves its analysis to make sure only true anomalies are being discovered. For example, if some pattern of activity that was at first perceived as a problem is now a regular part of doing business, machine learning technology will learn to see it as a normal behavior. Once defined as a norm, the behavior will no longer be flagged.

With machine learning-based analysis and anomaly detection technology digging into your  data, larger amounts of information can be reviewed and analyzed in real time, leading to quicker detection and incident response times.

Unless there are unlimited resources available to calculate and set ever-changing alerts for every single security threat imaginable, organizations need to begin to rely on advanced analysis and detection technologies built around machine learning to successfully look for, identify and eliminate security problems before they take a toll on the organization.


Machine learning based analysis technology can identify new attack patterns and advanced threats that aren’t easily detected and/or that don’t fall within the scope of known cyber attack methods. Machine learning is very effective at making sure security organizations remain in lockstep with hackers, which is especially important as they are becoming more and more inventive. Indeed, you can bet that if you’re not paying attention to these potential attack methods, cybercriminals are. Now is the time to utilize your organization’s data with the latest machine learning technologies to protect both the company and your customers from costly and dangerous security breaches.

By Stephen Dodson, Ph.D, Chief Technical Officer, Prelert

stephen_dodsonBio: As a founding member of the Riversoft engineering team, Steve led the design of the topology driven root-cause analysis technology used today within IBM Tivoli Netcool, HP OpenView and Cisco management tools. Following the IPO and subsequent acquisition of RiverSoft by Micromuse, Steve joined the founding team of Njini, where as CTO he led the design of their innovative storage management technology. Njini’s technology was acquired by Riverbed in 2008. Prior to software development, Steve worked in the Computational Mechanics group at Imperial College, London where he delivered key contributions to the field, resolving scalability issues using a novel approach to solving Maxwell’s equations which allowed it to become a practical technique used today by major companies. Steve holds MEng in Mechanical Engineering and a PhD in Computational Methods from Imperial College, London alongside a CES from École Centrale de Lyon.