How AI Driven Network Anomaly Detection Can Help You Decrease Enterprise Risk without Touching PII (Personally Identifiable Information)

August 25, 2017

By: Matthew McKenna, VP of International Operations

I had the good fortune the other night as I arrived to my hotel and turned on the TV to encounter a fascinating documentary about WWII code breakers at Bletchley Park. Bletchley Park was the home of Government Code and Cypher School, whose job it was to intercept and crack the German Enigma and Lorenz ciphers.  The main character in this documentary was Gordon Welchman, whose primary focus during his time at Bletchley was “traffic analysis”. Traffic analysis was the art of collecting the metadata of the encrypted communications and gaining context from the header information of that metadata. Things like the origin of the message, the intended destination, time and date, etc..  These techniques were eventually utilized to help them in the decryption of the Enigma code. 

Fast forward to today, we are moving rapidly towards a world where in the coming years over 80% of all traffic will be encrypted. We are simultaneously inundated with not only the never ending barrage of cyberattacks against our networks, but extremely stringent compliance mandates that expect us to have all our angles covered. Compliance is excellent to aspire to, however, risk reduction is what keeps our businesses safe. So the question is: How do we detect and pre-empt cyberthreats across our networks where the majority of traffic is encrypted, while simultaneously ensuring that privacy is not affected? The Answer: Network based anomaly detection utilizing artificial intelligence.

Just like Gordon Welchman, CyGlass has the capability to build a story of emerging threats within your network, based on the header information of the network traffic, not touching the body of the traffic. When leveraging artificial intelligence, that header information is then run through ensemble of algorithms based on emerging context of those conversations, and prioritized into what are known as areas of concern. 

As an example, we just finished a one month trial with a customer across 20.000 internal nodes, touching 65.000 external nodes as well. During that time period, CyGlass went through close to 450 million net flows. Yes, 450 million distinct network conversations, eliminating 99.99999% of the noise, and providing the customer with useful insight into threat areas that warrant appropriate attention. That equates to 45 alerts across the network that were prioritized as concerning. Forty-five is much more manageable number than the thousands of event alerts that the average SIEM will kick off per day in a large scale enterprise.

The amount of data and traffic that we manage within our networks these days is by all means mathematically unmanageable for an individual. With the increasingly nebulous perimeter of on premise, cloud, BYOD, network devices, IOT and so on, artificial intelligence provides us the possibility to gain meaningful actionable information from that data. More importantly however, a network based anomaly detection approach based on header information only permits us to do this without having to have the additional concern of touching personal data. And at the same time, will help us decrease the overall risk profile to our networks.

If Gordon Welchman was able to help crack the Enigma code over 70 years ago, using traffic header information, imagine what threats we can potentially uncover and surface within our networks with today’s computing power…

Back To Blog
Why CyGlass Product Resources