Redefining threat prediction

While the definition of “prediction” might seem like an obvious concept, in the context of security I’ve found that most people’s expectations seldom align with reality. You can blame pop culture if you like. Some misunderstandings surrounding prediction come from movies or television where fiction and fact is blurred. In reality, security analysts cannot predict successful attacks before they happen (yet). Your average security operations center (SOC) does not look like the set of the film, Minority Report.

When someone talks about threat prediction in the computer security world, they might imagine automatically and instantly detecting threats. On TV shows, we see words like unknown, motivation, adversary, attack and threat – flashing across a screen, while a tech savvy protagonist breezes through lines of code that are shown crossing the circuits and wires behind the “dark web.” When we talk to some technology providers we hear terms like artificial intelligence, machine learning and analytics, which offer the potential to see into the future. While many of these technologies exist today, our ideas on what they can predict is off-base.

Despite all of the sensationalist language surrounding threat prediction, I have yet to meet someone who has reconciled the sci-fi image of prediction and thwarted a cyber threat. Security as an industry, as a community, needs to demystify the three common misunderstandings about prediction by breaking it down into its core components. Once we have established that factual security is not a form of clairvoyance, the responsibility of just one team, or a perfect defense, other teams will begin to appreciate that while security experts aren’t the heroes most people expected, they are the defenders we all need right now. In the first part of this series, we will explore how to deconstruct the myths surrounding prediction, and in part two, we will focus on how a functional understanding of security prediction operates in practice.

Seeing Into the future

The first misunderstanding I notice when having discussions with people is that they imagine predictive security as some form of clairvoyance, that modern security teams should instantly identify, analyze and qualify an infinite number of different possibilities in order to pinpoint the most likely scenario.

Instead of viewing predictive security as a an all-seeing and all-knowing capability, here is what really happens:

Prediction, is predicated on the SOC’s capacity to understand a cohesive picture of their environment. In order to effectively determine when any breaches have occurred, security teams need to create a holistic understanding of the networks, systems, services and applications they are responsible for monitoring. And security teams have to understand how those resources are used. For example, an email admin may not be required to understand database services to do their job effectively, or a network engineer can do their job without understanding the details of authentication services. But security practitioners have to have cross functional expertise as well as visibility to do their job.

Connecting the dots

Predictive security is often misunderstood as providing the savant-like capacity to create a perfect solution for any problem using a cursory look at the situation. In reality, security teams need to constantly refresh their understanding of threats, technologies and interactions to distinguish the legitimate or potentially harmful from the benign.

Security analytics forms the basis of combining understanding with visibility. Analytics is core to the adaptive response for the security markets group at Splunk and many other security technologies. But to have the visibility for analytics, security and other teams need to come to a mutual understanding – every business unit needs to work with security. The collaboration can create a unified picture of what actors, objects and interactions exist in an environment, and connect the dots with analytics that are meaningful.

Control the probabilities

Finally, we need to dispel the notion that predictive security can directly prevent something from happening in the future. Instead, we need to frame security as the practice of applying the likelihood (probability) of the actions, by the actor, on the objects within an environment. Shifting this understanding of security will allow businesses to let go of the notion of security as a perfect wall of defense, and instead adopt a more practical view of security – starting from knowing what’s in the environment through recovering when bad things happen. Embracing this understanding enables business owners and SOC analysts to take the highest advantage of their technology and process investments, and guide future ones.

So, let’s review. Prediction requires knowledge, it requires the ability to connect the dots, and it requires a probabilistic approach to what may happen. It requires security teams and non-security teams to work together to gain visibility and apply analytics to connect the dots. In the next article in this series, we will apply these principles and walk through specific examples of how you can develop a more predictive security posture.