• United States




Redefining threat prediction

Jul 16, 20185 mins
AnalyticsRisk ManagementSecurity

Security is hard. Some say once we can predict threats all will be better. Should we believe? Maybe. But security teams need to demystify the concept of “threat prediction” by addressing three common misunderstandings, and move their company’s view of predictive security from science fiction to IRL.

Abstract trend lines graphing change and transformation.
Credit: Thinkstock

While the definition of “prediction” might seem like an obvious concept, in the context of security I’ve found that most people’s expectations seldom align with reality. You can blame pop culture if you like. Some misunderstandings surrounding prediction come from movies or television where fiction and fact is blurred. In reality, security analysts cannot predict successful attacks before they happen (yet). Your average security operations center (SOC) does not look like the set of the film, Minority Report.

When someone talks about threat prediction in the computer security world, they might imagine automatically and instantly detecting threats. On TV shows, we see words like unknown, motivation, adversary, attack and threat – flashing across a screen, while a tech savvy protagonist breezes through lines of code that are shown crossing the circuits and wires behind the “dark web.” When we talk to some technology providers we hear terms like artificial intelligence, machine learning and analytics, which offer the potential to see into the future. While many of these technologies exist today, our ideas on what they can predict is off-base.

Despite all of the sensationalist language surrounding threat prediction, I have yet to meet someone who has reconciled the sci-fi image of prediction and thwarted a cyber threat. Security as an industry, as a community, needs to demystify the three common misunderstandings about prediction by breaking it down into its core components. Once we have established that factual security is not a form of clairvoyance, the responsibility of just one team, or a perfect defense, other teams will begin to appreciate that while security experts aren’t the heroes most people expected, they are the defenders we all need right now. In the first part of this series, we will explore how to deconstruct the myths surrounding prediction, and in part two, we will focus on how a functional understanding of security prediction operates in practice.

Seeing Into the future

The first misunderstanding I notice when having discussions with people is that they imagine predictive security as some form of clairvoyance, that modern security teams should instantly identify, analyze and qualify an infinite number of different possibilities in order to pinpoint the most likely scenario.

Instead of viewing predictive security as a an all-seeing and all-knowing capability, here is what really happens:

Prediction, is predicated on the SOC’s capacity to understand a cohesive picture of their environment. In order to effectively determine when any breaches have occurred, security teams need to create a holistic understanding of the networks, systems, services and applications they are responsible for monitoring. And security teams have to understand how those resources are used. For example, an email admin may not be required to understand database services to do their job effectively, or a network engineer can do their job without understanding the details of authentication services. But security practitioners have to have cross functional expertise as well as visibility to do their job.

Connecting the dots

Predictive security is often misunderstood as providing the savant-like capacity to create a perfect solution for any problem using a cursory look at the situation. In reality, security teams need to constantly refresh their understanding of threats, technologies and interactions to distinguish the legitimate or potentially harmful from the benign.

Security analytics forms the basis of combining understanding with visibility. Analytics is core to the adaptive response for the security markets group at Splunk and many other security technologies. But to have the visibility for analytics, security and other teams need to come to a mutual understanding – every business unit needs to work with security. The collaboration can create a unified picture of what actors, objects and interactions exist in an environment, and connect the dots with analytics that are meaningful.

Control the probabilities

Finally, we need to dispel the notion that predictive security can directly prevent something from happening in the future. Instead, we need to frame security as the practice of applying the likelihood (probability) of the actions, by the actor, on the objects within an environment. Shifting this understanding of security will allow businesses to let go of the notion of security as a perfect wall of defense, and instead adopt a more practical view of security – starting from knowing what’s in the environment through recovering when bad things happen. Embracing this understanding enables business owners and SOC analysts to take the highest advantage of their technology and process investments, and guide future ones.

So, let’s review. Prediction requires knowledge, it requires the ability to connect the dots, and it requires a probabilistic approach to what may happen. It requires security teams and non-security teams to work together to gain visibility and apply analytics to connect the dots. In the next article in this series, we will apply these principles and walk through specific examples of how you can develop a more predictive security posture.


Monzy Merza serves as the head of security research at Splunk. With over 15 years of cybersecurity leadership in government and commercial organizations, Monzy is responsible for helping advise and implement strategic security programs for Splunk’s cybersecurity customers, working hand-in-hand with executives across the Fortune 500 to develop modern security architectures.

Monzy is also responsible for leading the Splunk Cyber Research team, which arms Splunk customers with actionable threat intelligence to combat advanced threats.

A noted international speaker, Monzy frequently presents at government and industry events on topics such as nation state threat defense and machine learning. His current security research is focused on integrated approaches to human-driven and automated responses to targeted cyber attacks.

The opinions expressed in this blog are those of Monzy Merza and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.