A new AI is like hiring a fresh graduate from college—full of potential but it must be taught your enterprise's unique security environment.
Training the AI happens when the AI presents a set of alerts to human analysts, who review the alerts and define them as attacks or not. The analyst applies a label to the alert which trains a supervised learning model that automatically adapts and improves. This is a trained AI.
A trained AI acts like a virtual analyst, having captured the intelligence of the analyst through labels, and then adds the power of machines: it's always-on (24x7), it can analyze huge volumes of data in real time, and it finds patterns in hyper-dimensional space.
PatternEx transforms log data from multiple sources into behaviors, and then has "AI Pipelines" analyze that data in near real time.
PatternEx leverages Spark Streaming, high performance file systems, and distributed compute and data tiers. The entire solution uses RESTful APIs for easy integration.
The UI is designed to enable your analysts to determine if a behavior pattern is malicous or not, and then capture that input to further train/tune the AI models.
The AI2 process facilitates communication between the artificial intelligence platform and the human analyst.
Raw data is ingested, transformed into behaviors, and run through algorithms to find rare events for an analyst for review. After investigation, an appropriate label is attached to each event by the analyst. The system learns from these labels and automatically improves detection efficacy.
Data models created though this process are flexible and adaptive. Event accuracy is continuously improved. Historic data is retrospectively analyzed as new knowlege is added to the system.
PatternEx AutoCorrelate reduces the time it takes to investigate a threat by 20x by automatically discovering new correlations and displaying the entity relationships in an intuitive graph.
Once an entity has been determined to be bad or compromised, PatternEx AutoCorrelate automatically investigates thousands of relationships to identify a chain of suspicious entities that an analyst needs to navigate while investigating the vector of an attack. These relationships may span multiple entity types, threat tactics, and time.
PatternEx Custom Analytics, gives users the ability to do deeper analysis or extract complex analytics from raw logs. Analysts can:
Your attack surface is broad and is changing. Your application, identity and access management, and traditional security data sources are all important for analysis. Data models can be made up of any combination of endpoint, network, access, and identity data.
Additionally, threat intelligence data and existing labeled attack data also can be incorporated into the analysis.
While you can get started by capturing only a few data sources, the more data sources you include, the larger the variety of attacks that can be detected.
AI model example:
Social engineering domains
This AI model speeds up detection of social engineering domains using 10+ simultaneous analytics. These analytics include, among others, the lexicographic characteristics of the domain name (length, digit ratio, vowel ratio, etc..), the domain age, and its popularity. The benefit is that the time between detection and remediation will be much shorter than waiting for published blacklists.
AI model example:
Domain Generation Algorithms (DGA)
This AI model detects DGA’s (used by C2 systems to exfiltrate data and/or receive commands). We have shown this model to identify DGAs before the corresponding signatures are reported in VirusTotal - reducing the risk of data exfiltration or lateral movement.
PatternEx Virtual Analyst Platform Architecture
Learn how PatternEx dynamically accepts security analysts feedback to create predictive models that continuously adapt to detect new and existing threats. Using this feedback PatternEx is continuously trained to improve detection accuracy. Download the white paper to learn more.