“All The President’s Men” is one of my all-time favorite movies. It’s got everything you want in a film: great acting, suspense, an important subject, and an eerie premonition about the difficulty of using machine learning in threat detection. One of the best lines in William Goldman’s script has been forgotten in favor of the classic “Follow the money.” Hal Holbrook, playing “Deep Throat,” implores Robert Redford’s Bob Woodward to “Get the overview.”
As Deep Throat, an FBI agent, understood, a collection of suspicious incidents might mean nothing, or everything, in an investigation. What mattered was an overview, a holistic understanding of what was going on, of who was doing what. Without that, it was all just—as Robert Redford whined later in the story “ChickS%% Games.”
Getting the overview is the mission of SecBI, a solution that provides what the company calls “Full Scope Detection” of activities on a network. They answer the kind of question that Redford fired at Dustin Hoffman while they drove around Washington doing learning-based threat detection with a 1971 Volvo Volvo 122S, rather than a computer. He asked, “A man asks you for directions. Is he interrogating you or is he lost?”
At RSA 2018, SecBI Co-Founder Doron Davidson and VP of Product Management Arie Fred explained how their solution uses unsupervised and supervised machine learning to detect a full scope incident narrative—an overview, if you will of events and users. “You have to understand what’s hidden on the network,” Davidson explained. “You have to enrich the event information and make connections between things that no human being would ever notice.”
An example of enrichment with SecBI might involve correlating user identities with network events to discover a pattern. SecBI uses a process of “autonomous investigation” to carry out this kind of enrichment leading to insights. “Let’s say you detect file uploads to a public cloud server. Is it data theft or routine business? That might depend on who is doing it. If the user is a contractor in another country, then maybe it warrants a look. What we do is establish a narrative so we can offer meaningful alerts. If you have to investigate every cloud upload, you’ll drown.” SecBI helps security analysts avoid chasing sporadic alerts with tedious investigation workflows. The result is to accelerate incident response and investigation processes.
The tool is also useful for post-mortem analysis of security incidents. Sometimes, things are not clear until they’re over. SecBI’s machine learning analyzes and clusters all forensic evidence related to a security incident. These might include infected devices, and their users, malicious command and control servers and compromised infection points. It might identify the drop-point with which they communicated, for example. SecBI is able to summarize and present all the relevant evidence in the event data.