There are many types of analytics that are used in the security world; some are defined by vendors, others by analysts. Let’s begin by using the Gartner analytics maturity curve as a model for the list, with the insertion of one additional term slotted in the middle of the curve: Behavioral Analytics.
Descriptive Analytics (Gartner): Descriptive Analytics is the examination of data or content, usually manually performed, to answer the question “What happened?” (or What is happening?), characterized by traditional business intelligence (BI) and visualizations such as pie charts, bar charts, line graphs, tables, or generated narratives.
Baikalov explains that descriptive Analytics is the realm of a SIEM (Security Information and Event Management system) like ArcSight: “these systems gather and correlate all log data and report on known bad activities.”
Diagnostic Analytics (Gartner): Diagnostic Analytics is a form of advanced analytics which examines data or content to answer the question “Why did it happen?”, and is characterized by techniques such as drill-down, data discovery, data mining and correlations.
Here, Baikalov says that “diagnostic Analytics is where link analysis tools like Palantir thrive: given a suspect, or security incident, they can figure out potential impact or root cause based on known relationships; it's a forensic activity heavily dependent on human analysts. A next-gen SIEM like Splunk combines both sets of capabilities in one tool – Descriptive + Diagnostic.”
Behavior Analytics — sometimes called Behavioral Analysis: Behavioral Analytics — analyzes massive volumes of raw user event data to predict future actions and trends to detect anomalies.
Baikalov explains that, “While not on the Gartner maturity curve, I would categorize Behavioral Analytics as the next evolutionary step up from Diagnostic Analytics. In addition to what bad we know about, has anything out of the ordinary happened and should we worry about it? Behavioral Analytics is looking for deviations from normal, be it temporal (has it happened before?) or environmental (has it happened to suspect's peers?).”
"Anomaly in the behavior of any asset, be it user, computer system, application, or network device, is a good indicator of malicious activity,” says Baikalov. “The indicator does not rely on a priori knowledge of what exactly is wrong or on established thresholds, and is capable of detecting zero-day, low-and-slow, and APT (Advanced Persistent Threat) attacks." (reference)
Advanced Analytics (Gartner): Advanced Analytics is the autonomous or semi-autonomous examination of data or content using sophisticated techniques and tools, typically beyond those of traditional business intelligence (BI), to discover deeper insights, make predictions, or generate recommendations. Advanced analytic techniques include those such as data/text mining, machine learning, pattern matching, forecasting, visualization, semantic analysis, sentiment analysis, network and cluster analysis, multivariate statistics, graph analysis, simulation, complex event processing, neural networks.
Prescriptive & Predictive Analytics (Gartner): Prescriptive Analytics is a form of advanced analytics which examines data or content to answer the question “What should be done?” or “What can we do to make _______ happen?”, and is characterized by techniques such as graph analysis, simulation, complex event processing, neural networks, recommendation engines, heuristics, and machine learning.
“Predictive capabilities are a must-have feature in active development,” says Baikalov. As the predictive capabilities improve and false positives decrease, Behavior Analytics will gain enough credibility to work in Prescriptive mode, driving automated response based on the analytics' results. See the UK's new"active cyber-defense" initiative.
Non-security example use case: A traditional AI called an expert system is often used in the context of medical diagnosis. By ingesting reams of medical knowledge, the system asks a series of questions that allow the system to diagnose a disease by narrowing down the possible outcomes. Expert systems are narrowly focused on a particular problem.
Scheferman explains that this earliest form of AI is designed to do basic things that humans can with relative ease. The general premise is that the AI system must possess a large amount of raw knowledge and so, when a question is asked of the expert system, it is able to work through a series of rules until a satisfactory answer is provided. In cybersecurity, the most evolved example of such an expert system would likely be IBM’s Watson for Cyber Security, which is ingesting over 75,000 documented software vulnerabilities, 10,000 security research papers published each year and 60,000 security blogs per month. (reference)
Like its predecessors, however, Watson for Cyber Security requires a significant amount of domain experts to provide its data — and measure how good a job it is doing. Watson is unable to learn on its own, and it can only answer questions derived from the knowledge it has absorbed. The power of expert systems power very affective AI, however: Watson is often able to use pattern recognition, human interaction, NLP and data mining (of both structured and unstructured data) be able to predict an attacker’s next move. It’s impressive by any measure.
Now that we have examined some types of artificial intelligence, such as expert systems and analytics, you'll likely want to read the next article in this series: “Machine Learning: The More Intelligent Artificial Intelligence.” This is where software can grow beyond the constraints of human knowledge and actions – and it’s an area of great investment, and tremendous excitement. Once you read parts 1 and 2, you'll certainly want to read the third article in the series: “The Actual Benefits of Artificial Intelligence & Machine Learning” Here, we will explore how to move beyond the hype and confusion in order to see the real benefits of artificial intelligence and machine learning.
Part 2 was published on Tuesday, November 22nd. Part 3 will be published on Tuesday, November 29th.
Don't want to wait? Then don't!
Fill out the form and click the button below to register. We'll send you the details you need to access it within 24 hours.