Cyberlytic news

TAG Cyber

Dr. Edward Amoroso discusses Cyberlytic's machine learning approach and how the company addresses cyber security from a risk perspective.

Using Machine Learning to Risk Score Your Web Apps

Dr. Edward G. Amoroso, CEO TAG Cyber

Back in the late Nineties, when I first saw active IPS mitigation being connected to passive signature-based IDS, I joked that this was like issuing machine guns to a blindfolded army. That is, it was my observation that the detection solutions of the time would generally miss seeing the real attacks, and that the preventive actions would then make things worse by shooting back at the wrong source. I held this view for two decades (#PassiveMode).

More recently, however, I’ve had the opportunity to truly delve into the details of how solid front-end cyber security detection systems might more accurately identify risk indicators. And I’ve also looked more closely at how back-end active prevention systems might take safer response action, devoid of those nasty side-effect conditions. And in both cases, I can report that things are looking much better.

I had the privilege to broach this topic with two of our industry’s smarter minds: Stuart Laidlow and St. John Harold, both with UK-based Cyberlytic. During a lengthy videoconference held across the big pond, we spent some time digging into the technical details of the front-end passive profiler and the corresponding back-end Web application firewall (WAF) that comprise their promising new cyber security solution.

When asked about improving the quality of threat determination, both men drew on their extensive experience in British Intelligence and law enforcement to highlight the importance of high quality machine learning algorithms, combined with a specially designed risk classification model. That is, they’ve designed their front-end Cyberlytic Profiler to collect data from your SIEM or firewall, and to then apply advanced heuristics to estimate the risk intensity of observed Web-based indicators.

This smart use of machine learning and artificial intelligence algorithms allows for a more intelligent response triage of observed activity, using the tool’s risk classification model to prioritise real-time response. This risk-based approach lies in stark contrast to early IPS devices, which would see a simple regular expression match of some indicator, and would then simply shun the offending source IP address. You will recall that this led to so many unintended consequences that most security teams would shut off the active mode software. The Cyberlytic triage approach seems to improve on this weakness considerably.

One class of real world application that we discussed in our videoconference involved using front-end intelligence to correlate observed Web indicators with out-of-band errant activity. For example, if a commercial power plant was experiencing unusual outages, remarkably useful anomaly indicators (e.g. metadata from users checking outage maps on the power company’s Web site) might be derived by security teams based on front-end Web-based intelligent analysis, integrated with local knowledge of the user’s domain. This is sort of reminiscent of pharmacies using metadata from users buying over-the-counter remedies to predict imminent flu outbreaks. If the predictive risk model in any of these cases also considers all-source intelligence about tangible on-going threats, then a world-class security operations environment is achieved. This is a cool and profound concept.

So, while I’m not ready to proclaim that any WAF, even one as powerful as you’ll find with Cyberlytic, is going to detect every advanced persistent threat aimed your way by a nation state actor, I am perfectly willing to recommend that a tool such as from Cyberlytic, in front of your Web-based workloads would seem like a more-than-responsible means for tightening up your cyber defense. You’ll therefore be doing yourself a favor to take some time to inventory your Web applications – including any workloads behind REST APIs – and make sure to embed some good front-end, risk-based, machine-learning intelligence in the Web traffic path. And yes, that is a big mouthful to say, but if you do it right, you’ll be presenting an even bigger mouthful for your adversary.