Articles / Factoring Anomalies into Cyber Risk

on 29 Dec 2017

The broad field of behavioral analytics is much more complex than many observers in our industry realize. I was seated, for example, in the front row of security briefing recently, where a well-known analyst from a well-known company said this: “Behavioral analytics involves searching for patterns that do not match what we’ve seen before,” she explained. “It involves locating something that is unique and different – like a brand new cyber threat.”

Hopefully, you will agree to the absurdity of this definition. Morning commuters, for example, observe patterns every day that they've never encountered previously – namely, the license plates of the cars around them in traffic! Casual explanations of technology thus often fail miserably, and behavioral analytics is particularly prone to this, because Luddites tend toward anthropomorphism – that is, describing computing (poorly) in terms of human activity.

The good news is that the budding cyber security field of user and entity behavioral analytics (UEBA) can be enormously powerful when applied properly and interpreted accurately for cyber security. The underlying idea of UEBA traces back to the great Dorothy Denning’s early work, and here it is in a nutshell: Meaningful models of normal behavior can serve as a baseline for determining if observed behavior is sufficiently anomalous to warrant investigation.

I spent an afternoon last week chatting with the principals from Bay Dynamics, a cyber security firm located near my office in TriBeCa. Led by Co-Founder and CEO Feris Rifai, the company has an experienced management team and enjoys an impressive list of enthusiastic business customers who use the Bay Dynamics Risk Fabric platform to manage cyber risk – with a healthy dose of ingested UEBA. I was keen to learn more, and here is a summary of my understanding:

“Our platform is designed to help customers calculate the value of their cyber risk,” Rifai explained to me. “This allows them to prioritize cyber security remediation actions based on measurement, analysis, and reporting. Our approach is unique, however, because we apply artificial intelligence-based techniques within our UEBA solution to highlight the most important risk factors into our scoring approach.”

This method from Bay Dynamics of using AI, in the form of supervised and unsupervised machine learning, to ingest training examples for risk scoring, benefits nicely from UEBA. The Risk Fabric machine learning approach focuses on insider behavior, vulnerability characteristics, and business impact as the primary attributes in risk scoring. The goal is to highlight user or entity behaviors that demonstrate something particularly unusual and worth investigating.

I challenged the Bay Dynamics team with several practical examples from my own experience, ranging from the risk of unpatched routers, to the risk of a badly-designed network. The team offered Risk Fabric use-cases that aligned nicely with these examples by relying on the underlying equation for risk, based on threats, vulnerabilities, and assets. Such foundational basis is useful in dealing with the unpredictable nature of an enterprise, particularly for UEBA.  

I asked Rifai to summarize the primary value proposition for the Bay Dynamics Risk Fabric platform and here is what he offered: “Our unique application of emerging artificial intelligence techniques, along with the power of user and entity behavior analytics, allows us to build an enterprise cyber risk platform that highlights the most important issues for management attention and remediation.”

Now, we agreed that any enterprise risk approach might still struggle with problems such as overly complex infrastructure or poor understanding of the asset base. Without good inventories, for example, it is possible (even probable) that important risks will be missed by the enterprise security team. Just look back over the past couple of years, and most major breaches involved systems or networks that the CISO had not fully understood in advance.

But for most business and government settings, the machine learning methods embedded in the Risk Fabric UEBA-based risk management solution provide an excellent means for prioritizing action. Perhaps you should give Feris Rifai and his management team a call, and ask them to take you through the functionality and design of their platform. I think you will enjoy the conversation and learn a thing or two about UEBA and cyber risk. I know I did.

Please share with us what you learn.