Using machine learning to deliver a smarter security solution

IT organisations of all size are spending more money than ever to protect their network and assets due to the increasing threat landscape. According to IDC, security budgets will grow by 40% by 2020. And in addition to the growing number of threats, the typical IT security ecosystem is changing rapidly due to:

  • The increase in the number and types of devices that a single user may use to access corporate assets
  • Cloud-based applications that can be accessed outside the control of corporate IT
  • The need to provide access to high value assets to outside stakeholders such as partners and contractors to increase efficiency of key business processes
  • “Non-traditional” IoT devices accessing the corporate network

Protection used to be a matter of defending the corporate network with security products at the entrance and exits. Now it’s about protecting a borderless, uncontained collection of employees, contractors and partners – all using multiple devices from anywhere, at any time – from outside and within the secure boundaries of the corporate network.

To deal with this new threat landscape, Aruba’s User and Entity Behaviour Analytics (UEBA) solution, Aruba IntroSpect, detects attacks by spotting small changes in behaviour that are often indicative of attacks that have evaded traditional security defences.

Aruba IntroSpect integrates advanced AI-based machine learning, pinpoint visualisations and instant forensic insight into a single solution. Attacks involving malicious, compromised or negligent users, systems and devices are found and remediated before they damage the operations and reputation of the organisation.

The Need for UEBA

Traditional cyber defence products were not designed to deal with the sophisticated, carefully-crafted and targeted attacks that enterprises now face. They are still needed to deal with the vast majority of “standard” threats that come in every day, but require help with the smaller number of deadly “advanced” attacks that arrive without warning and evade perimeter defences. These can be termed “attacks on the inside” using techniques and tools that haven’t been seen before. This means there are no rules to fire, which is why IntroSpect features a new class of detection analytics that utilises artificial intelligence technology that does not require pre-programming or setup. Instead, IntroSpect builds baselines of normal behaviour for a user, a system or any device with an IP address—known as an “entity”. The baselines are built by machine learning models that operate on key data from logs, netflow and packet streams—anything that characterises an entity’s IT behaviour. These baselines are then used to detect abnormal behaviour that, aggregated over time and put into context, will indicate a gestating attack. Given this approach, Gartner dubbed the category UBA (User Behaviour Analytics) and then extended this to UEBA (User and Entity Behaviour Analytics) to reflect products like IntroSpect that profile not only users and systems, to anything with an IP address (i.e., IoT).

Aruba is the only networking provider with the industry’s leading UEBA solution.

Continuous monitoring and attack detection.
100+ supervised and unsupervised models that detect the widest range of attacks.

Total visibility.
IntroSpect uniquely incorporates all sources of IT-relevant data into both the analytics and forensics, including packets, flows, logs, alerts, endpoint, cloud, etc.

Accelerated incident investigation.
IntroSpect combines both attack detection via supervised and unsupervised machine learning with integrated forensic data in a consolidated security profile called Entity360.

Mature enterprise-class scalability.
Support for a Big Data architecture – IntroSpect has a 3 year head start in perfecting this technology.

Seamless integration.
With bi-directional integration with the major SIEM and log aggregation systems such as ArcSight, McAfee ESM, QRadar and Splunk, IntroSpect leverages both their centralised data repositories as well as returning machine learning-based alerts and forensic data to the SIEM console and workflow.

Business context and policy-based attack response.
Integration with access control systems such as ClearPass provide IntroSpect with the ability to automate the response to attack alerts based on policies set by the organisation.

Aruba ClearPass + IntroSpect = 360 Protection.
The combined solution delivers three key security innovations: advanced attack detection, accelerated investigation, and proactive, policy-based enforcement.

As an eight times Aruba Reseller of the Year, Pervasive’s wireless network experts have designed, implemented and supported innovative Aruba mobile network solutions for the UK’s largest organisations across a range of sectors.

For more information click here.

To book a meeting and understand how Aruba IntroSpect can help protect your organisation, click here.