How Fidelis Leverages Machine Learning to Combat Threats Hiding in your Network – Security Boulevard

Many threats lurk in your network, hiding in external (north-south) or internal (east-west) traffic. So this is where we come in. We leverage machine learning capabilities and advanced analytics to detect the threats hiding in your network traffic.

To begin, threats hiding in external (north-south) traffic are attempting to do three things:

However, the malware activities that leave a footprint ininternal (east-west) network traffic are attempting:

To start, anomaly detection using network traffic has a long history.Traditionally, it has been done for network performance monitoring and diagnostics. There are three main challenges in adapting this approach for threat detection. First, building representative baseline models for normal or benign network activities. Second, preventing a deluge of false alarms. And third, interpreting anomalies as threat related activities to enable response.

The Fidelis Network Detection and Response (NDR) Anomaly Detection addresses the first two challenges using two strategies. Number one, it casts a wide net by analyzing network behavior using five different contexts. These are External, Internal, Application Protocols, Data Movement, and Events detected using rules and signatures.

To continue, for each context, it learns up to five different families of models to learn high fidelity baseline models. For example, for the External Traffic context, we have a family of models that focus on outbound geo-location. So within this family, we have individual baseline models for different countries or groups of countries.

Together, these five contexts and their model families capturewhat is normal baseline behavioron an enterprise network. Because of that, we are able to correlate anomalies from different models to identify high confidence detections. Then, we provide an interpretation of our anomaly detections for analysts. So, we map them to the MITRE ATT&CK TTPs to enable a response.

Inanexternal context, we focus on properties of external or north-south traffic that is independent of the application protocol. Using Unsupervised Machine Learning, statistical anomaly detection, and advanced analytics, we flag three types of suspicious activities that involve internal assets controlled by an enterprise:

With all of this, these models provide protection against threats mapped by the MITRE ATT&CK framework to the Initial Access tactics. In particular, Drive-by Compromise (T1189), and Data Exfiltration, plus the techniques related to Exfiltration Over Alternative Protocol (T1048), Exfiltration Over Web Service (T1567), and Automated Exfiltration (T1020).

Many organizations also deploy external-facing services hosted in a demilitarized zone (DMZ) that is open to the Internet. Fidelis NDR has anomaly models targeted at DMZ services. This can detect an increase in traffic to DMZ servers or traffic originating from a new location. Such anomalies often indicate that an enterprise might be the target of a new threat vector, campaign, or adversary.

In an internal context, we focus on internal traffic patterns along three dimensions. This includes who is talking to whom (I.e. connection patterns between assets), remote access and login behavior patterns, and volume of traffic exchanged between assets. Specifically, we flag five different types of suspicious activities.

Lateral Movement (TA0008)

Fidelis Network Detection and Response (NDR)uses a combination of these machine learning capabilities and advanced analytics to detect suspicious activities on an enterprise network. In a previous blog on Using Machine Learning for Threat Detection, our CTO Anubhav Arora talked about the advantages of using Machine Learning to detect patterns of cyber-attacks hiding in large amount of network traffic data. He defined the different approaches based on Supervised and Unsupervised Machine Learning algorithms. We also released a webinarhosted by SANS where we discuss this topic in more detail.

The Fidelis NDR Anomaly Detection framework involves five contexts. They include External, Internal, Application Protocol, Data Movement, and Events detected using rules and signatures. As mentioned earlier, these contexts capture what is normal baseline behavior on the network, which then helps detect any anomalies.

You can subscribe to our Threat Geek blog to receive the upcoming blogs in this series on Unsupervised Machine Learning to detect network activities. Our Data Science Manager will delve into Application Protocol and Data Movement contexts, the models and threats associated with them, and more. Contact usif you have any questions and want to learn more about our NDR solution.

See original here:
How Fidelis Leverages Machine Learning to Combat Threats Hiding in your Network - Security Boulevard