State and Local Agencies Can Identify Cyberthreats Through Anomaly Detection

What Is Anomaly Detection?

ServiceNow notes that an anomaly is a change within a data pattern, an outlier or an event that falls outside of a standard trend. It’s a deviation from something expected or something that doesn’t conform to expectations.

There are three broad types of anomalies: point, contextual and collective.

• Point anomalies, also called global anomalies, are single points or pieces of data identified as too far off from similar data points in the group.
• Contextual anomalies are abnormal in one context but normal in another; for example, over two data sets collected at different times.
• Collective anomalies are entire subsets of data that are outliers when compared to wider sets of data of similar nature or type.

Anomaly detection is the process of finding and identifying point, contextual or collective anomalies that fall outside the bounds of defined policies. Detection itself is only the first step; further analysis can help determine whether anomalies are defects, malfunctions, fraud or security compromises.

How Does Anomaly Detection Work?

According to Andrew Stewart, senior federal strategist for the Industries Solution Group at Cisco, data drives effective anomaly detection.

“Any time you are doing this, more data is good,” he says. “Data analysts will tell you that more data is good, and that diversity in data is tremendously important.”

Collecting and leveraging this data makes it possible to identify both common patterns and outliers, allowing state and local agencies to pinpoint potential problems. This data comes from entities, or devices and services connected to a network.

“You need to know every entity,” says Stewart. “That’s table stakes. What you want to see is their telemetry, every conversation between these entities.”

He likens it to a cell phone bill, which provides a list of whom you called and for how long. Anomaly detection provides details about how entities interacted and whether that interaction was out of the ordinary.

What Are the Benefits of Anomaly Detection?

“When you think about the amount of data on a network, you want to see what is normal and what is suspicious,” Stewart says. “You want contextual awareness around what’s happening: What does a user normally do? What is their normal behavior? Is current behavior outside of policy?”

This is the role of anomaly detection: creating context. Consider a user that normally logs on to agency networks from home at 9 a.m. every workday. If this suddenly changes to 11 a.m., anomaly tools can flag the behavior for review. A quick follow-up might reveal that the user is on a business trip in a different time zone.

EXPLORE: How ServiceNow streamlines operations and improves customer experience.

If tools detect more significant deviations from normal practice, however, they can take more direct action. For example, if our hypothetical user isn’t only logging on at a different time but is also downloading more data and accessing multiple applications in quick succession, it may be an indicator that the user’s account has been compromised. Integrated detection tools can relay this information to security services, which can close user sessions and restrict access pending review.

Stewart says solutions such as Cisco’s Secure Network Analytics can leverage asymmetric path processes to identify and link behavior patterns they have seen elsewhere on the network. This reduces the time between detection and response.

Ultimately, these tools help agencies set the stage for a secure OODA loop by providing context in order to observe and orient and setting the stage to decide and act. Equipped with information about what behaviors are observed on a network, organizations can orient themselves for an effective response: Is the threat new? Has it been seen before? What’s the potential risk? Armed with in-depth observations and orientation, it’s possible to boost decision-making confidence and take decisive action.

Governments Are Utilizing Machine Learning for Anomaly Detection

Machine learning offers a way to improve anomaly detection operations to reduce the total risk for state and local governments.

Stewart highlights the emerging process of encrypted data analytics. “It used to be bulk decryption analysis,” he says, “but this was time- and cost-consuming and not secure.”

If data is decrypted to detect anomalies, any benefits gained from the encryption itself are eliminated. In addition, attackers also make use of encryption to hide their intentions; if malicious payloads are protected by encrypted efforts, they may be unintentionally white-flagged.

DISCOVER: How state and local agencies automate data analysis with Software as a Service.

The use of new techniques such as privacy-preserving machine learning, however, makes it possible for machine learning models to directly compute encrypted data without compromising its security. Only the original encryptor of the data can decrypt it, while anomaly detection tools can scan the encrypted data for any indication of unexpected or malicious intent.

Machine learning also makes it easier for agencies to keep pace with the evolution of attacker efforts. Instead of simply responding to threats as they occur, machine learning algorithms set the stage for organizations to collect and correlate data about anomalous behavior, helping them predict future trends.

Anomalous behavior represents a departure from the norm. Whether this departure is good, bad or benign depends on more in-depth analysis, but it always starts at the same place: effective anomaly detection.