Advanced Detection Based on Unsupervised Machine Learning
Gilad Peleg started his career at the Israeli Defense Forces (IDF) elite cyber security unit, at the center for cryptography and security. Later, he led product management and marketing for a number of large technology organizations, as well as several startups that were eventually acquired. A couple of years ago he went back to his cyber security origins and joined SecBI, where he serves as CEO. Share
What makes the SecBI solution unique?
The SecBI solution is about advanced detection. It helps organizations to detect and mitigate the most complex and hidden threats that are out there. SecBI provides full-scope incident detection, compiling all the affected users, domains, devices and servers into a single incident.
SecBI’s unique technology is based on unsupervised machine learning algorithms that continuously analyze the massive amount of network security log data for hidden and unknown security incidents.
How does your solution deal with false positives?
Security teams still base their work on alerts. Whenever a potential threat matches a certain signature or rule, they have to start an investigation process and connect the dots between the alert and a lot of additional data, just to answer the question, “Is this real malicious activity, and if so, who does it affect?” In many cases, security teams spend serious amounts of time chasing what turns out to be false positives.
SecBI’s proprietary engine analyzes the network security log data, and groups events that are significantly correlated and unique in their behavior into distinctive clusters. Once the detection process is cluster-wide, we can ensure detection of weak or hidden signals, which lead to more accurate detection and less false positives.
Who is your solution mostly suitable for?
The customers we target are medium-large enterprises such as financial institutions, retail companies, telcos and healthcare organizations.
It is important to note that our solution is easily and instantly deployed, with no additional appliances or agents. Because it analyzes log data that is already available in the organization, deployment is effortless and requires no changes to the network infrastructure in order to deliver immediate results.
On your website, it is stated that your solution can detect threats that other tools miss. How do you do that?
Our main advantage is in grouping “breadcrumbs” of data to clusters, which improves the signal-to-noise ratio for better detection of malicious activity.
Detection means you’re always trying to identify something with enough confidence to pass a certain threshold. If the threshold is too low, the alerts are false. When you do that based on a discrete activity, a single user, or when you see it based on a pre-configured rule, you need high confidence to be sure that a specific activity is malicious, this results in missing complex and stealthy attacks.
Our solution conducts behavioral clustering, grouping together any communication that the compromised device has with the malicious infrastructure. The SecBI solution is thus able to perform cluster-wide detection, , resulting in a much more accurate and faster ability to detect malicious behavior.
Cluster-wide detection also means that the security analyst will see a comprehensive attack description, providing the complete picture to mitigate the threat completely.
Whenever we find a malicious incident, we observe that less than 10% of the forensic evidence is detected and identified by other vendors. The remaining 90% is totally under the radar and looks like normal communication, and a full 90% of infected users go unidentified.
In your opinion, what is the biggest problem in the cyber world today? And how can it be solved?
There has been a shift in the way attackers operate, with sophisticated tools and services available at very low cost. We know that attacks exist in organizations long before they are detected, sometimes even years. Even when detected, there is a long period during which the organization runs investigations to understand the scope of an attack. This can take months and, in some cases, the full scope is never actually revealed.
CISOs need to reconsider their security strategies and adapt their organizations’ security measures accordingly. Full scope detection of incidents ensures that attacks are fully detected in a timely manner, causing minimal damage to the organization and leaving the attackers empty handed.