Share with Your Network
It’s no secret that the cybersecurity battlefront is more perilous than ever. With a shift towards remote and hybrid work over the past two years, attack surfaces have expanded and organizations are dealing with a record-breaking number of vulnerabilities and cyber attacks. Organizations report that keeping up with the increasing volume of vulnerabilities is the most challenging facet of security hygiene and posture management. To keep pace with the volume, solutions designed to address endpoint protection, event security, event orchestration, and identity management overwhelm security teams with data.
To make matters worse, organizations are struggling to staff their security teams with qualified analysts. The global shortage of cybersecurity professionals rose 350% between 2013 and 2021, leaving 3.5 million unfulfilled positions last year. Half of organizations investigate one to 10 alerts per day, yet an organization with 10,000 assets will see about 17,300 alerts per month. The average analyst spends as much as a quarter of their time chasing false positives, and has only seven minutes to deal with an alert. The remediation time just isn’t adding up. The question is, how do we filter the noise from all this multi-domain data into something manageable, and focus efforts on the 2-5% of vulnerabilities that really present a risk to an organization?
Filter the noise, then focus
The keys to building security resilience include prioritizing. Traditional vulnerability management uses a preventative lens of data modeling to look at incidental data and determine which vulns actually become incidents. But in today’s threat landscape, these incidents aren’t just potential–they’re happening in real-time. That is where the machine learning and automation features in XDR (extended detection and response) play an increasingly vital role.
XDR looks at those rich but noisy data sets from diverse sources to determine the most costly real-time risks posed to an environment. When designed optimally, XDR uses the relationships between events, conditions, and probabilities across these data sets to create schemas that help automate parts of the vulnerability management workflow and optimize efficiency.
High-dimensional data requires elevated analysis
An organization’s security team can be responsible for well over 165,000 assets. And each of those assets carries thousands of confounding variables at a volume so great that we can’t infer much from statistics about root causes in prioritization efforts.
As Michael Roytman, principal engineer at Cisco, explains in a recent webinar, data this highly dimensional requires us to look at it from a causal perspective. Causality in cybersecurity is the relationship between two variables that describe connections in a system. Through causal models, we can determine that fire causes smoke. But to what degree does the presence of fire influence the presence of smoke? And to what degree and under what conditions does the presence of a vulnerable asset influence a breach? Those are the million-dollar questions that can help prevent million-dollar cybersecurity incidents. Structural equation models help analysts measure just how much a variable influences another, and we can execute these models to:
- test assumptions about whether causality is there or not
- measure how well our interventions are performing in different conditions
- deprioritize detections we know do not cause breaches
Structural equation models also help us create algorithms that can be seen in advanced XDR solutions. Causal discovery in algorithms uses data to infer the qualities of relationships and prove that some of those relationships exist or don’t exist. Proving where relationships don’t exist reveals where we should focus remediation efforts. These three ways that algorithms use causal discovery are the key to building an automated XDR environment that works across platforms:
- Time symmetry– Checks statistical incidents of causes occurring before effects
- Complexity asymmetry – Measures the complexity of relationships between two variables and rules that the simplest relationship is most likely to be true
- Functional asymmetry – Uses machine learning to check whether the relationship holds regardless of the data input
Why should InfoSec teams care about causal discovery in algorithms? Because it allows us to determine the root cause of breaches by looking at relationships between:
- an event occurring and an incident happening
- an incident happening and a breach occurring
- a vulnerable asset and malware causing a breach
- two MITRE ATT&CK tactics
A causal perspective highlights the vulns most likely to be a real problem to your organization. When detection and response processes are automated, resource-strapped teams can stop spending countless hours investigating and remediating incidents that don’t matter to your organization and focus efforts on those 2-5% of costly potential exploits.
Machine learning optimizes efficiency
With all the uncertainty we’ve been facing the past few years, enterprises need risk-based vulnerability management solutions that analyze and adapt to real-time threat intelligence. XDR is the culmination of endpoint detection response, endpoint telemetry, threat management, and (for Cisco Secure customers), risk-based technology. Cisco is integrating Kenna Security’s machine learning capabilities into its XDR solution to provide customers with the real-time context needed to help teams focus their finite resources on the most important threats.
To discover more about how cybersecurity analysts can efficiently utilize machine learning techniques in vulnerability management, check out Michael Roytman’s genius webinar: How Machine Learning Models Can Uncover the True Causes Behind Breaches.
