Software Engineering Institute

Any organization that needs to sustain and improve its defensive cybersecurity posture must be able to implement the optimal set of security analytics. Recent advances in the fields of artificial intelligence (AI) and machine learning (ML) increase the incentive to implement predictive analytics that take advantage of these underlying technologies. Instead of building heuristic analytics that aim to match through static queries and signatures, ML models are applied to defensive cybersecurity to capture and generalize the underlying characteristics of malevolent behavior, such that they can protect from new and slightly modified threats. However, since there is no standard approach for implementing ML analytics in the cybersecurity domain, applying ML analytics without the underlying required components can easily waste much organizational effort.

Using examples from MITRE’s ATT&CK™ model, the authors present a novel framework to help organizations decide whether the detection of a malevolent technique is best suited with a simple static heuristic analytic or a ML security analytic. The presentation, which focuses on host-based detection, includes the critical underlying decision points and the tradeoffs that should be considered to influence the overall decision. The framework is broken down into components that include data, analytic evasion, and the organization itself. Considering that data is a critical component of predictive ML models, and that sufficient data collection and labeling continues to be a challenge, the authors provide a deep dive into this area with discussion on host-based data sources. Even if the right data is being collected, it is rarely labeled, limiting the application of supervised ML models. While Windows Security events and Sysmon event data are typically collected for host-based detection, process monitoring data can be efficiently consolidated and processed on the endpoint before being ingested into a big data platform for translation into ML-ready format. The proposed framework will provide security analytic developers a structured means to implement analytics to better secure and defend an enterprise network.