SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
5 ways to use data science to predict security issues - Forcepoint
Mon, 21st Sep 2020
FYI, this story is more than a year old

A key part of digital transformation and the move to digital services is data science. Data science enables people to respond to problems in a better way, and to also understand those problems in a way that would not have been possible 50 years ago.

But data science can be just a numbers game if it is not used to its full potential. Utilised properly, data science can help people and decisions to become ‘predictive'. In the case of cybersecurity, IT professionals may be able to predict bad events before they occur. Forcepoint's Asia Pacific strategic business director Nick Savvides explains more.

“There is one thing that security teams, firewalls, antivirus programs, email protection, intrusion detection systems have in common – they're all tasked with determining if an action or event is ‘good' or ‘bad'. This is a classification problem, and one that has advanced over time.” Savvides says.

Machine learning and artificial intelligence have been key to the data science revolution because they approach these classification problems in a way that can lead to predictive behaviour.

Here are five critical steps in applying data science to cybersecurity, and how they come together to create an action plan.

1.    Signals

Signals is another way of describing inputs such as data from applications and users.  “Obtain as many signals as you can from the things that you can control,” says Savvides. The more signals an organisation has, the easier it is to understand what's going on.

Indicators of compromise (IoCs) are related to a particular security threat, which act as ‘fingerprints' or traces that attackers leave behind. These can help businesses determine whether they have been – or may soon be – compromised.

“We can take those signals, apply data science and then say, ‘I predict that this IoC might be a risk to the organisation'. A system can then can automatically implement controls that stop an unwanted action before it happens.

“A system can also take signals from devices and the cloud, analyse them, and form a predictive approach. It could go even further and integrate at the network layer – not just at the points where the user and data leaves, but also in the transit in between.

Solutions based on the Secure Access Service Edge (SASE) architecture sit at the edge of the cloud between the user and the application data. SASE solutions can capture signals from the user, the machine, applications, internet connections, and connectivity. It's a powerful way to use signals to shape prediction.

2.    Behaviour

Indicators of behaviour (IoBs) focus on events generated by users interacting with data and applications. They outline how a user or a threat behaves in an environment.

By understanding how an employee or contractor typically behaves, it's possible to identify high-risk behaviour that could indicate a malicious insider or compromised account. These work in conjunction with signals to determine different behaviours from different actions.

3.    Context 

Context combines signals and behaviour to bring context to the data. A behaviour might not look suspicious, but what is the context of that behaviour?

“Something that might seem benign could actually be malicious, and vice versa. Context is important because otherwise, you won't understand what a behaviour means," Savvides says.

Data science can provide context that can then be used for dynamic controls. Responses can learn from those controls to create a virtuous cycle of learning, making changes, observing changes, and learning again.

“The end goal is to prevent bad things from happening before they happen. By understanding context, security professionals can identify the risk and have the system react accordingly.

4.    Automated action

Automation is an important step that frees security teams to focus on only important things.  Automation is scalable and it can take care of the majority of cases that need to be investigated. The key is to have the right solutions deployed to enable automation and remove the need for manual intervention.

5.    Response

After automated actions have investigated and triaged all threats, IT teams can focus on the top priorities for further investigation, response, and remediation if necessary.

How the five points all fit together

Savvides summarises, “Data science is used to collect signals and analyse them. It also helps to understand users' actions and apply context to those behaviours. Automation is used to drive responses in a dynamic way that is a result of real-time changes in those signals and behaviours."

While organisations manage risk all the time, Savvides says that cybersecurity is still somewhat stuck in a ‘rules' way of thinking. It requires a change of mindset from a rigid policy approach to one that is risk adaptive.

“Often we think about policy violations, 'Is this a violation of policy? Was this rule broken?' Rules are great because they set a baseline. But what we are dealing with are security events that would fall outside of those rules and all the signatures.

“Organisations still get hacked, even though they've got firewalls, proxies, and data loss prevention tools in place with thousands of rules. You need to understand what you're trying to achieve; for example, predictive and preventative security rather than ‘rules' to stop certain actions.

How Forcepoint can help

Forcepoint democratises security beyond static rules-based policies and instead help enterprises better understand risks to make smarter and more targeted decisions.

Forcepoint combines data science applied in signals, behaviours and human psychology, and uses automation to enable any organisation to improve its security.

“We understand behaviour, insider threat risk, and we combine that with data loss prevention. We're also introducing new product classes that are behaviour-aware, starting with dynamic data protection.

But what about the future? The network edge will become more behaviour-aware with dynamic security controls. Forcepoint is building this into its existing and new products so it is ready to help organisations understand the new trend of behaviour-based networks.

To learn more about Forcepoint, visit