Author: Ravi Devireddy, Founder & CTO
This is a question that I am often asked by potential customers and partners. Behavioral analytics and machine learning methods can be applied to a variety of problems within cybersecurity. So, what makes E8 Security and our use of behavioral analytics to identify adversarial activities operating within the enterprise network so special?
There are three things that make E8 Security unique:
- Focus and clarity on the problem being solved
- Proven technology
- Unique approach to the solution
Focus and clarity
Our objective is to provide visibility into the three later stages (Control, Execute and Maintain) of a seven-stage attack lifecycle (first proposed by Lockheed Martin). These three stages of attack are carried out within the enterprise perimeter, and are often invisible to traditional methods of detection. E8’s specific focus is on identifying the following categories of attacker activities that occur within these stages.
- Communications: represents adversary communications with systems under their control
- Credentials: represents access and use of credentials within the environment
- Persistence: represents changes to a system to establish persistent presence on the system
- Movement: represents access, control and execution on remote systems
To identify these attacker activities, an integrated view of user, network and endpoint behaviors is required. The E8 Security Fusion Platform integrates data from user, network and endpoint activities into a single behavioral analytics platform, modeling user and device behaviors using machine-learning algorithms to surface anomalous patterns indicative of the four attacker activities listed above within the enterprise perimeter. With this clarity, we help our customers understand what aspects of visibility into the attack kill chain E8 can provide, and how they can use the Fusion Platform in conjunction with other security technologies that are already in use within their environment.
At E8, one of the core design criteria is to develop self-learning systems, i.e. systems that are developed with the ability to learn and improve without being explicitly programmed to do so. This addresses the challenge of detecting activities for which there are no specific signatures or indicators available. Our learning engine is a three-stage process.
Stage-1 learning is an unsupervised modeling engine that is designed to automatically discover users and devices in a given environment, map them into uniquely identifiable entities, and learn their relationships, groups, and behavior patterns. The objective of Stage-1 learning is to identify the following five types of behaviors for any user or device in the enterprise.
- Newly observed behaviors
- Outlier behaviors
- Change/deviation in behaviors
- Automated behaviors
- Coordinated behaviors
These behavior models have enabled us to develop a behavior ontology, which Christophe Briguet has blogged about, to query and understand underlying data in multiple dimensions.
Stage-1 learning discovers, learns, and connects the diverse set of behavior identifiers for each entity in the environment. The five different types of behaviors listed above generate insights into the activity patterns of the entities. For example, an outlier behavior is checked for its historical pattern of being an outlier, allowing for a reduction in false positives.
The effectiveness of our Fusion Platform’s modeling engine is measured by its ability to learn from experience (E) with respect to the task (T) of identifying anomalies and the performance measures (P) for the total number and ranking of those anomalies. In the graphic below, you can see this learning taking place. We show that E8 is improving its performance in identifying true anomalies as measured by the density of anomalies (as more data is accumulated, the number of anomalies thins), and the appropriate ranking of the anomaly score with more experience.
Stage-2 learning is a supervised modeling engine that is designed to learn from the output of anomalies generated by Stage-1. Here, various supervised modeling techniques such as random forest, classifiers, and association rule mining are applied to derive at a pattern of interrelated behaviors corresponding to specific threat activity in the attack kill chain.
Stage-3 learning is a user reinforced learning where feedback from the environment, including users of the Fusion Platform, is incorporated to further fine-tune environment-specific attributes, ultimately eliminating noise from the output.
The combination of Stage-1, Stage-2 and Stage-3 learning produces the intelligence and insights from raw data sets without explicit programming of the system.
Our unique approach: Transforming security operations
E8 Security takes the approach of differentiating anomalies and threats. While there may be many anomalies in an environment, not all of them are threats. Earlier I mentioned that our objective is to identify four types of attacker activities: communications, credentials, persistence and movement. With this goal in mind, E8’s Fusion Platform is designed to connect multiple behavior anomalies observed over time, produced by E8’s model engine, into specific threat patterns that map into one of those four attacker activities.
This design allows for greater flexibility in creating use cases specific to each customer environment in addition to the out-of-the-box solution set.
E8’s behavior graph exposes both anomalies and threats in a single user interface for interactive analysis. This enables end users to see connected behaviors — critical, suspicious and normal — for every user and device. Security personnel are able to instantly determine whether malicious activity is present, establish who within the organization is exhibiting this activity, and understand which alerts are related to that entity or behavior across all security technologies. In turn, security teams can more effectively manage investigations by eliminating the manual work and enabling faster responses to critical alerts first.
Our solution design enables end users to derive value from E8 Security’s Fusion Platform by:
- Discovering behavior patterns and anomalies that correspond to the Control, Execute and Maintain stages of the attack chain, and
- Dramatically improve productivity and efficiency for security operations by reducing investigation and analysis time from hours to minutes.
By separating anomalies and threats, end users have the flexibility to alert only on threats that meet specific risk criteria, dramatically reducing the alert load, but still using behavior anomalies as a layer of intelligence and context for SOC and incident response (IR) investigations and analysis.
So, back to our original question: why E8? By focusing on specific problems to solve, with proven machine learning technology, and a unique approach to the solution, E8 Security is distinctly positioned to solve modern cybersecurity challenges efficiently and effectively.