Artificial Reality | The PatternEx Blog

Detecting DNS Rebinding Attacks

Unless you have possibly been in North Korea since mid-July (working on denuclearization issues?), then you have by now heard about the DNS rebinding vulnerability that IoT devices are subject to (CVE-2018–11315). There are two aspects to this matter that are particularly noteworthy. First, DNS rebinding attacks are not new. In fact, the first such attack was reported over ten years ago (CVE-2007-5232)! Second, is the number of IoT devices potentially vulnerable in this latest CVE - half a billion devices. That is a lot of exposure sitting on your organization’s and your personal network at home. (BleepingComputer blog post, “Half a Billion IoT Devices Vulnerable to DNS Rebinding Attacks” from July 20th has a good breakdown on that number.)

Topics: Threat Detection AI SOC analytics SIEM

What to Look for in an MDR Provider

Book a Meeting

In my last blog posting, I talked about why you should consider moving to an MDR provider. In this post, I want to discuss what you should be looking for in an MDR provider. There are several factors that should be considered if you are going to have a successful partnership with an MDR provider. Leading research and advisory companies (and others) have written about such too, but I don’t charge vendors to say nice things about them. 😀

Topics: machine learning Threat Detection SOC analytics MSSP

Is There a (MSSP) Bubble Coming?

As we approach the ten year anniversary of the subprime mortgage crisis, which precipitated a housing bubble collapse and contributed significantly to the Great Recession, I am wondering if another bubble is building?

Topics: Threat Detection SOC analytics MSSP

Changing Business Considerations for MSSPs: Saying Goodbye to Soda Straw Views

As the threat landscape has evolved (e.g., increased number and size of DDoS attacks), MSSPs are being forced by the market to evolve their service offerings. It simply is no longer acceptable for an MSSP to manage perimeter firewalls, a couple of Internet-facing applications, and perhaps a couple of important internal systems (e.g., Active Directory domain controllers). Why not? Because such (effectively) stand alone ‘soda straw’ views do not provide the MSSP (nor the customer) with the context needed to be able to detect today’s sophisticated attacks. For example, with that hypothetical monitoring scenario, it would be extremely difficult to detect lateral movement, let alone a compromise of individual systems.

Topics: Threat Detection AI analytics MSSP

Why MSSPs Should Be Interested in Virtual Analyst Technology

MSSPs face several challenges in effectively running their operations, and subsequently providing value to their customers. For example, MSSPs’ customers are often demanding, and are concerned about their TCO. 

Topics: Threat Detection SOC MSSP

Finding Cryptocurrency Mining Malware

2017 was the year of ransomware.  2018 is already shaping up to be the year of cryptocurrency mining malware.  Are you prepared for this threat?

Topics: Threat Detection infosec AI

Help for SOC Analysts - Autocorrelation

Security Incident and Event Management (SIEM) solutions have been in use for almost two decades, but the promise of SIEMs and other log search solutions remains unfulfilled. e-Security, arguably the first SIEM company, was founded in 1999 in Vienna, Virginia.

SIEMs deliver analytics tools with search capability, but these tools remain limited to to providing responses to manually created questions / queries / correlations by human analysts and have not evolved beyond rule-based correlations. SIEMs have made claims about increased complexity and sophistication of such correlations through the use of wildcards, Boolean logic, RegEx, and other techniques. However, the SOC analyst remains constrained to receiving responses about his or her specific query and the correlation must be very specific in order for the signal-to-noise ratio to be acceptable. 

As a result, SIEMs lead to alert overload, generating thousands or millions of false positives for analysts to manually filter, investigate, and take action. In addition to being a huge drain on resources, this workflow often misses true risks (false negatives) in the deluge of alerts.

Topics: Threat Detection infosec AI SOC

The Benefits of Transfer Learning with AI for Cyber Security

Transfer learning is not new in information security. It has been in use for many years. For example, anti-malware vendors have exchanged samples of malware between their own proprietary collections of such (so-called zoos). That is a form of transfer learning. Similarly, Snort Community rules are a form of transfer learning. Community rules can be written by anyone, and used by any organization. ISACs are another form of transfer learning. Security-related is shared within a community. All of these examples (zoos, community rules, ISACs) involve known bads (e.g., malware, exploits, IP addresses, domains).

Topics: Artificial Intelligence CyberSecurity Labels Virtual Analysts Threat Detection Transfer Learning AI

Cyber Security and AI-Squared

Monday of this week, MIT put a spotlight on a paper co-written by researchers from PatternEx and MIT CSAIL. The paper compared PatternEx's Active Learning approach with state-of-the-art Anomaly Detection approaches, and had two important conclusions:

  • It is possible for an AI system to automatically adjust its models over time based on human feedback and improve detection capability
  • AI systems using these techniques detect far more attacks with far fewer alerts than solutions based solely on Anomaly Detection

Topics: MIT AI^2 False Positives Threat Detection