Detecting hidden attacker activity from the traces he leaves behind is a whole new game. In a single midsized customer environment – with only 1300 endpoints – we have to analyze 70 million events a day.
Artificial intelligence and machine learning is the only scalable solution here. However, AI alone is not the answer – it is the perfect combination of data science and cyber security experts.
Enterprise-grade cyber security for everyone
This week, F-Secure announced a brand new endpoint detection and response (EDR) solution for midmarket that is built on our experience on the frontline protecting our enterprise customers and utilizes machine learning to catch fileless attacks, privilege escalation and other advanced tactics used by attackers.
F-Secure Rapid Detection & Response provides companies lacking large IT and security teams or budgets with the advanced capabilities they need to defend themselves from targeted attacks.
The “Man and Machine” Approach
To overcome the issue of having too many raw data events for a human to process, F-Secure developed behavioral data analysis to narrow down the data and Broad Context Detection™ mechanisms to build a context around events across impacted hosts.
And the results? From the 70 million events analyzed every day, there are on average only 2-3 detections that need to be investigated.
The Future of Detection and Response
The traditional approach is about creating and applying a set of detections based on known “bad” behavior. Our approach runs actual attacks against our systems and trains them on what “good” behavior looks like. Then we flag everything else for further analysis and false positive filtering.
In his keynote at the launch event, F-Secure’s CTO Mika Ståhlberg mentioned that this is the approach that most breach detection vendors will also settle on in the future.
The Environment is in a Flux
Threat hunting systems need to adapt to changes quickly. Everything in the monitored environment is in a flux – people, devices, operating systems, software, threats and TTPs.
Due to the nature of this flux, traditional IDS solutions tend to be “noisy” and prone to false alarms. These traditional solutions are also always one step behind the real threat landscape.
Key to Rapid Detection is in the Backend
To tackle this problem, our data scientists, working alongside our cyber security experts, have designed and built a series of backend statistical analysis, machine learning, and expert systems to support our analysts.
Ståhlberg explains that the core of F-Secure’s backend is very simple, and all of the complexity is embedded in surrounding algorithms. This approach enables very fast deployment times for new detection algorithms – in minutes – and allows us to adapt to changes quickly.
With F-Secure’s detection and response service in place, there’s never a need to wait for the systems deployed on your own premises to receive updates – all the logic is in our backend systems.
Different Analysis Techniques for Different Tasks
Our analytics perform a number of tasks, from analyzing and learning behaviors in monitored environments to reducing false positives.
An expert system finds the sort of behaviors caused by common attack tools and by the TTPs employed by cyber criminals. These include PowerShell commands and malicious URLs and IP addresses.
Machine learning systems are designed to spot previously unknown bad behavior, such as DHCP hijacks, lateral movement, spoofing, and other stealthy evasion tactics. We also utilize different multi-level combinations of expert systems, statistical analysis, and machine learning.
Simple statistical analytics are best suited for eliminating false positives, and by applying these methods, we currently eliminate approximately 80% of all irrelevant alerts.
The way we’ve built these systems and the way they interact with each other is quite unique, and something we’ve not seen elsewhere in the industry.
Stay One Step Ahead of the Attackers
This combination of artificial intelligence and cyber security specialists is the most efficient and accurate configuration for working with the vast amount of event data. It allows us to spot attacks before they have a chance to damage or access business-critical data.
“Artificial intelligence trained by the best cyber security experts is vital when you’re looking for needles in a digital haystack, and in the right hands, it’s able to keep defenders a step ahead of even the most skilled, highly motivated attackers,” says Ståhlberg.
This is a game-changer for midmarket companies. With modern technologies, AI and machine learning, we, together with our partners, will be able to bring enterprise-grade cyber security for everyone.
Want to know more? Get in contact with our sales.