As another year goes by, we're nowhere closer to preventing cybercrime from running rampant on unsuspecting businesses. Modern enterprises are stuck in a tight spot where cyberattacks are not only more intelligent than ever before, but customers are even more unforgiving of security breaches. When 71% of customer's state they would leave an organization after a data breach the stakes couldn't be higher.
While many organizations are utilizing network monitoring tools, these are the bare minimum that is needed to confront contemporary threats. Instead it is becoming more important to utilize network monitoring tools with anomaly detection.
In networking, anomaly detection is a form of AI that is used within monitoring tools to identify anomalous behavior that could indicate a cyberattack. A system using anomaly detection looks for patterns within datasets and can pinpoint when network usage deviates from normal levels. These tools help administrators to automate network scanning and help to monitor networks more efficiently. For " finding outliers and new phenomena in network system log data", anomaly detection is at the apex of the cybersecurity industry.
What's wrong with rule-based systems?
If you're currently using a network monitoring tool that doesn't have AI, then you're most likely using a rule-based system. Rule-based systems are designed to monitor traffic types and detect known types of anomalies and attacks based on established patterns. These systems are great for flagging up well-known cyberattacks but are helpless against new attacks that don't follow the established patterns of previous attacks.
Network monitors with anomaly detection are superior to these rule-based systems because they can identify cyberattacks that depart from common attacks. In other words, anomaly detection platforms have a much greater chance at stopping day-one attacks than rule-based tools.
Today organizations need to start combining tools in order to have comprehensive security coverage. According to ManageEngine, it is advisable for enterprises to invest in a firewall, intrusion detection system and network behaviour anomaly detection platform to "form a holistic network security strategy". By combining these tools together, you can have the best of both worlds with accurate performance monitoring and protection from those insidious day-one attacks.
Anomaly detection in action: Key examples
Anomaly detection is very complex because there are so many variations in the approaches towards spotting anomalies that vendors choose to use. While there are many different approaches to anomaly detection, they can broadly be classified into two main types: Misuse-based approaches; and anomaly-based approaches.
The misuse-based approach looks for problematic patterns whereas the anomaly-based approach looks for patterns that are distinct from normal behavior. In this article we're going to concentrate on the anomaly-based approach as this will be the most relevant model for dealing with day-one threats in the future.
An example of a tool that uses an anomaly-based approach is GenieATM. Genie ATM has a traffic anomaly detection engine which "profiles real-time traffic and dynamically builds normal traffic baselines during peacetime". Once traffic exceeds the threshold significantly it will "automatically start the tracking analysis until the traffic returns back to the normal range".
Another illustration of how anomaly detection helps to boost enterprise security is provided by the Akamai Security Research team who use AI to monitor real-time DNS traffic and detect cyberattacks. To prevent DDoS attacks occurring through DNS Akamai "implemented a mechanism that is sensitive to the changes in the rate of subdomains and/or a number of times a specific domain name is queried".
Akamai's platform then measures the values of the rate of subdomains and query count and measures it against the system's "expected values". If the system identifies that "the gap between expected values and current counts are larger than certain thresholds, our detection system takes necessary actions to protect network traffic from a possible attack".
Moving on from the dashboard-driven network monitoring model
While the dashboard-driven network monitoring approach isn't obsolete just yet, it is beginning to show its age as new threats emerge. Using dashboards and rule-based approaches to monitor usage data just doesn't cut it against this generation of cyberthreats. By the time an administrator has identified an attack with these tools, the damage has already been done.
The truth of the matter is that a person cannot hope to analyze datasets as quickly as an AI program can. If staying protected online is on your agenda for 2019 then it is a good idea to look into AI-based solutions to stay protected from the latest threats. Thwarting an attack could not only save you money but might just save your reputation as well.
It only takes one cyberattack to do irreparable damage to your brand. Being proactive and adopting a cutting-edge anomaly detection system will pay dividends as you minimize the administrative burdens of your staff and improve your responsiveness to new threats.