Another product/solution focused session, this time on Cybersecurity. This is a relatively new product for SAS but they have production customers and an aggressive development plan. The core focus for this detecting attackers who are on a network before they execute their attacks. For instance in the Sony hack the attackers were probably on the network for 90 days downloading data and more days before then doing reconnaissance. The challenge in doing this comes from a set of issues:
- Detection avoidance by criminals
- Limits of signatures and rules that are time consuming and complex to manage
- Economics of data scale given the amount of data involved
- Analyst fatigue caused by false positives
NIST talks about five steps
- Identify
- Protect and Detect
Lots of technology focused here like firewalls, identify management etc. - Respond
More technology here focused on generating alerts and having analysts prioritize and focus on the most serious - Recover
The key problem is that this still focuses on a “chase” mindset where everything is analyzed post-fact.
SAS Cybersecurity ingests network traffic data in real time and enriching it with business context such as that from a configuration management database (location, owner etc). This is used to identify peer groups. In-memory behavioral analytics are applied and presented through the investigation UI for analysts to focus on the most serious problems.
Critical to this is identifying the normal baseline (so you can see anomalies) when the number of devices is in the thousands and all the devices could be communicating with each other. A network of 10,000 devices might product nearly 100,000,000 relationships for instance. With this baseline you can detect anomalies. Machine learning can be used to learn what is causing these anomalies before driving analytically-driven triage so that analysts target the most serious problems.
