Cyber crime has existed almost since the beginning of computing. Regardless of whether it was for fun, for revenge or to get a financial reward, there’s always been malicious software trying to get control of our computers. Luckily, there has also always been an effort to identify malware to prevent it from harming our systems. There is a plethora of organisations devoted to gathering as much knowledge and as many samples as possible of malicious programmes, to identify what they look like and how they behave in order to create signatures or heuristic analysis to detect them.
While this approach allows detecting the bad activities you are aware of, and some of the as yet unknown, it doesn’t detect the ‘not good’ activities. To make an analogy, the opposite of white is not black, it is not white. The approach commonly taken is to detect traces of dark activity.
However, even if you try to get as many samples of malicious activity as possible, there will always be something new and you will be dealing with the unknown. So why deal with the unknown when you can work with known facts? There is a more logical way to solve this problem and it is to learn how the good people behave and detect what is behaving differently.
Actually, this is the approach we have always taken with our kids. Nobody says ‘Don’t take sweets from people that look like bad guys’. We always tell them ‘Don’t take sweets from strangers’. They know who they know, and everyone else is a stranger. And that simple definition has different meanings for each person. Strangers are particular to each and every person. We believe that the same approach can be taken to protect organizations.
When it comes to security, it makes far more sense to understand how the people in your organization work, and to then learn from their behaviour and identify deviations from the norm. You are basing your analysis on known facts, on things you can check that are specific to your organization. That’s what we call ‘behavioural learning’.
Our research has been focused on obtaining enough information to understand the behaviour of people inside organisations, apply behavioural learning to those parameters, and use all the gathered knowledge to identify outliers with a high degree of confidence.
To do so, our technologists are decomposing network traffic at all levels; from connections, protocols, applications, data types, and the information exchanged in the communication. The results are very enlightening when information from different levels are combined together. Using knowledge from only one of these layers (e.g. network) helps in identifying some types of threats – it is when you combine all of them that behavioural learning shines.
An accurate distinction between good and not good allows you to successfully apply the ‘Don’t take sweets from strangers’ approach.