Modeling The Storm of Cybersecurity Data

Modeling The Storm of Cybersecurity Data

Consider the job of the weather person. It used to be that a weather forecast was almost unusable because of low accuracy. But now, it is commonplace to put a reasonable amount of faith in the forecast. Really, not that long ago, we used an almanac to get a sense of the weather. My, how things have improved!

I actually rely on the forecast I access on my smartphone. Why is the prediction so much better today than it was in the past?

Read More »

More Data Does Not Equate to Better Security

More Data Does Not Equate to Better Security

The reason you often hear people say, "quality over quantity" is because, generally, it’s true. An organization could own every security tool known to mankind, each kicking out truck loads of data, but this does not necessarily mean that these organizations are well protected against security threats and attacks.

Read More »

Deviation From Normal Does Not Always Mean Malicious Intent

Deviation From Normal Does Not Always Mean Malicious Intent

An approach to solving cybersecurity problems is to use machine learning to baseline normal behaviors so that deviations from normal can be identified.  This, at first glance makes perfect sense.  However, there are flaws that must be considered and avoided. 

Threat Intelligence: Non-Malicious Deviations

One of the flaws is that deviations from normal may not be malicious in nature. They may reflect new behaviors that are non-malicious in nature. For example, new software, new policies, new scope of work, or any other of a myriad of changes may cause a deviation from normal. 

Read More »

Are You Fighting the Cyber Battle or the Overall War?

Are You Fighting the Cyber Battle or the Overall War?

From Mental Models to Computational Models

It used to be that a diligent team of analysts with some programming skills could do a respectable job of protecting an enterprise on their own. They knew enough of the specific threats, the specifics of the enterprise, and the specifics of the enterprise network, that they could monitor for problems and mitigate those problems. Unfortunately, the volume and voracity of the threats has grown. The variety of business models has expanded. The complexity of enterprise network topologies has increased. These factors mandate that cybersecurity solutions evolve. Cybersecurity teams must upgrade to a better strategy.

No longer are one-off scripts and the programming of lookup tables adequate to face the criminal elements. The risks and liabilities are just too high.

Read More »

Do Complex Cybersecurity Issues Cause You Chaos?

Do Complex Cybersecurity Issues Cause You Chaos?

Cybersecurity is really complicated. It is a topic of massive amounts of minute details. From those details, incredibly important big pictures must be formed. Cybersecurity is the art of being situationally aware in chaos.

Software engineering is really complicated. It is a topic of massive amounts of ones and zeros. From those bits (1s and 0s) helpful applications must be formed. Software engineering is the art of creating knowledge from big data formed of bits.

Cybersecurity is inherently complex, as is the world of software. How do we make complex things less complex? How do we "get our heads around" all the things in the cyber domain?

Read More »

Three Tips to Fight Insider Threats Before They Surface

Three Tips to Fight Insider Threats Before They Surface

As much as we would like to think that we can trust all our colleagues and employees, Insider Threat is a large concern.  People within a company - employees, management, and contractors - are given access to information and assets as a trusted member of our organization.  This access gives them the capability and opportunity to make negative choices by either stealing something of value, or sabotaging to cause harm. 

Read More »

Artificial Intelligence Saccades in Cybersecurity

Artificial Intelligence Saccades in Cybersecurity

The human perceptual systems are pretty darned amazing. Without our conscious control the brain acts to gather the information needed to construct and mold our perception of reality.

Consider our vision. When something first catches our eyes our brains begin to try and figure out what it is we are seeing. Unconsciously our brain starts jerking our eyes about to gather the information needed to correctly classify that something. This is known as "saccadic eye movement" or "eye saccades".

When we first see a face, our motor cortex takes control over our eyes in order to collect up corroboratory information. Basically, our brain says, "If this is a face, I should see a nose here, an eye here, another eye over here, and a mouth here." Each time the eyes jerk from one location to another, they are collecting information that can confirm or nullify that you are looking at a face.

Read More »

Artificial Intelligence for InfoSec in Cybersecurity is Here (...To Stay)

Artificial Intelligence for InfoSec in Cybersecurity is Here (...To Stay)

Artificial Intelligence for InfoSec (AI) has wavered up and down in reputation over the decades. Sometimes it is seen as being on the brink of great breakthroughs. At other times it is seen as an impossibility. My opinion is; it’s already here. Mostly due to my definition of AI.

Defining Artificial Intelligence for InfoSec

Alan Turing’s definition was written in his paper “Computing Machinery and Intelligence.” He proposed a test that defined AI by judging whether or not the behavior of the machine was indistinguishable from that of a human.

Read More »

Bad Guys Don't Do Normal Things - Part 2

Bad Guys Don't Do Normal Things - Part 2

Any cybersecurity analyst will tell you that there is a huge need to reduce the amount of false positive alerts they receive every day. In the first part of this blog series we described an Incident Response (IR) team that, instead of focusing on true threats, was all-to-often running down “suspect ping” alerts caused by harmless software updates.

We discussed using ontologies to model alert data in graph form. By putting the original alert data into graph form, and using a description logic reasoner, Dark Light™ is able to apply expert knowledge to make inferences. In the case of the “suspect ping” problem, we use knowledge about related processes to reason if the alerts should be ignored, or classified as truly “suspect”.  Read More »

High-Impact Strategies to Automating SecOps

High-Impact Strategies to Automating SecOps

Cyber Security Automation; Where to Start

The short and quick answer is; you start with the most impactful tasks. These are the tasks that will bring the highest value and return on your investment in the shortest period of time.

When automating your Security Operations Center (SOC), tasks in an effort to deal with high volumes of appliance events and alerts, you'll likely find that analysts will have tightened the criteria on what triggers an alert to be sent to them. This action will provide the analyst with the highest priority alerts.

Read More »

Subscribe to Email Updates

Subscribe via RSS to the blog

Recent Posts