Protecting the Attack Surface Using Machine LearningABB's Cybersecurity Scientist Rohan Vibhandik Offers Insights on Steps to Take
In the face of advanced persistent threats and attacks, it's critical for organizations to measure vulnerability to threats before applying machine learning tools, says Rohan Vibhandik, a scientist at ABB Corporate Research Center. Appropriate assessment of these vulnerable endpoints will enable practitioners to apply machine learning appropriately, he says.
Even before considering different attack surfaces, it is critical to understand the various forms of threat models, Vibhandik says.
To address threats, organizations are increasingly looking at machine learning, which can help organizations detecting and investigate compromises, Vibhandik says.
Vibhandik was a speaker at Information Security Media Group's recent Fraud and Breach Summit in New Delhi.
In this interview (see edited transcript below), Vibhandik discusses:
- The attack surfaces for industrial devices;
- How to configure a proactive security measure using machine learning;
- How to measure the cybersecurity risks for organizations using data analytics through machine learning.
Before joining ABB, Vibhandik was a lead network security engineer at Cisco Systems. Earlier, he assisted the government of India authorities on cybercrime investigations and computer forensics. He has also worked with San Jose Research Foundation at California and Stanford University, where he was involved in research and development for e-commerce platform security. He has worked with U.S. police officials.
SUPARNA GOSWAMI: What are the different attack surfaces practitioners needs to take cognizance of before deploying new technologies?
ROHAN VIBHANDIK: Before talking about different attack surfaces, we should understand the various forms of threat models for an organization which helps users assessing cyberattack vector's severity index of various kind of attack surfaces. For example, let's take into consideration a scenario where network information can be extracted by an attacker to steal confidential data. Here a company must take into account different aspects of attack surfaces - attack-centric, architecture-centric and asset-centric.
Let's start with attack-centric. The first component is to understand who the attackers are and what their goals are. For example if you are an ecommerce company, the attacker will be more interested in the new products on your website.
Secondly, in the architecture-centric surface end point, one can gauge the goal of the attacker who is trying to identify various loopholes based on your architecture to make an entry.
And thirdly, the asset-centric end point is where the attacker is more interested in stealing your IP database or your software licensing.
Assessing these components will enable a CISO to understand the criticalities in deploying machine learning to fix the vulnerabilities.
GOSWAMI: How can an organization configure a proactive and reactive security posture using machine learning?
VIBHANDIK: A machine learning algorithm is expected to help organizations in detecting and investigating compromised users, given increased enterprise attack surface in both reactive and proactive postures.
Security measures are proactive when your network or system manager is trying to find possibility of an attack on your ecosystem even when an attack hasn't happened. In such a scenario, a SOC plays an important role as they do a trend analysis over a large period of time over big data. Going through large data logs and finding the false positives or false negatives isn't an easy task humanly; it's here that the machine learning comes into picture. For this, one would now need a complete dashboard of all incidents and anomalies which happened in the past.
It doesn't necessarily have to be for your organization but similar ones which have your big data repositories. Machine learning's user and behavior analytics solutions will help us to know the trend in the window of specified timestamp for different kind of attack surfaces.
Organizations can use tools like Splunk or ArcSight to segregate and categorize the data and run analytical algorithm on that data. This process overall reduces the time to detect and regularize their network infrastructure. Data traffic normalizing and abnormal traffic identification assist in increasing server resiliency and network availability.
On the other hand, in a reactive posture environment, the analytical tools will empower the human investigating after the attack is taken place, and the IRT [Incidence Response Teams] will use it investigate the attack vectors while trying to control the impact and recover the services to normal conditions.
Using Machine Learning
GOSWAMI: Can you explain the modus operandi of how one senses cybersecurity risks using analytics obtained through machine learning?
VIBHANDIK: Along with the methodology mentioned above, the network events' timestamping and data clustering algorithms should be used. Tools, such as Orange (there are many others as well) help in parsing the log files to get the serialized and categorized data sets from the big chunks of log files. This parsed data then can be processed through analytical engine, to identify the trends in the network traffic behavior. For example, if in a certain period of time, if the network traffic has increased enormously, then there could be a possibility of a DDoS attack. If an ecommerce website has announced a big sale, then there is a possibility of a certain anomaly, but here the machine learning/ data analytics helps in identifying false alarms, but at the same time notifies the site admin to allocate extended bandwidth to accommodate the "temporary" and "un-ill-intended" surge in the network traffic.