New-Scale Fusion: Behavioral Analysis in Cybersecurity

Today’s cyber threat landscape demands that organizations constantly improve their attack detection methods. New-Scale Fusion offers an innovative approach based on behavioral analysis, allowing you to identify anomalies and complex attacks that are not detected by traditional security measures.

Architecture and Components of New-Scale Fusion for Behavioral Analysis

New-Scale Fusion uses a modular architecture consisting of several key components designed to collect, process, and analyze data required for behavioral analysis.

Data Collection and Integration

The system integrates with a wide range of data sources, including:

• Security Event Logs (SIEM).
• Network Traffic Data (NetFlow, PCAP).
• Authentication Data (Active Directory, LDAP).
• Cloud Services (AWS, Azure, GCP).
• Endpoints (EDR).

This integration provides a comprehensive view of user and entity activity within the organization.

Data Normalization and Enrichment

The collected data undergoes normalization and enrichment. Normalization transforms data from various sources into a uniform format, which simplifies further processing. Enrichment adds contextual information to the data, such as the geographic location of IP addresses, asset data, and threat intelligence from third-party sources. This leads to the creation of relationships between data within the organization. Network behavior analysis becomes more efficient.

This process improves the accuracy of behavioral analysis and allows for the identification of more complex anomalies.

Analytics Engine

The core of New-Scale Fusion is the analytics engine, which uses machine learning and artificial intelligence to identify anomalies in behavior.

Behavioral Models and Machine Learning Algorithms

New-Scale Fusion uses a wide range of behavioral models, each designed to analyze a specific aspect of user and entity activity. The models are constantly trained and adapt to changes in behavior.

Modeling Normal User Behavior

This model determines the normal behavior of each user based on their previous activity. The following data is used to train the model:

• Login and logout times.
• Applications and resources that the user typically accesses.
• The amount of data that the user typically transmits and receives.
• The geographic location from which the user typically logs in.

Various machine learning algorithms are used to train the model, including:

• Clustering (e.g., K-Means) to identify groups of users with similar behavior.
• Regression (e.g., linear regression) to predict expected user behavior.
• Profiling based on Hidden Markov Models.

Deviation from normal behavior is determined based on statistical indicators, such as standard deviation and Z-score. Model parameters are tuned to minimize false positives and improve the accuracy of anomaly detection.

Example metric: Z-score for the amount of data downloaded by a user during the day. A high Z-score indicates anomalous activity.

Modeling Resource Access

This model analyzes user access patterns to resources, such as files, databases, and applications. The following data is used to train the model:

• List of resources that the user has access to.
• Time and frequency of access to resources.
• Type of access (read, write, delete).

The following machine learning algorithms are used to train the model:

• Social network analysis to identify groups of users who have access to the same resources.
• Association rule mining algorithms to identify unexpected combinations of resource access.

Deviation from normal behavior is determined based on the frequency and type of access to resources, as well as based on comparing user behavior with the behavior of other users who have access to the same resources. Model parameters are configured to account for user roles and access rights.

Example metric: frequency of user access to sensitive files during off-hours.

Modeling Network Traffic

This model analyzes network traffic to identify anomalies, such as unusual connections, large volumes of data, and suspicious protocols. The following data is used to train the model:

• Source and destination IP addresses and ports.
• Communication protocols (TCP, UDP, HTTP).
• Amount of data transmitted and received.
• Time and duration of connections.

The following machine learning algorithms are used to train the model:

• Clustering (e.g., DBSCAN) to identify groups of network connections with similar characteristics.
• Anomaly detection based on statistical methods (e.g., time series analysis).
• Autoencoders to identify anomalous traffic.

Deviation from normal behavior is determined based on statistical indicators, such as the frequency and volume of traffic, as well as based on comparing network traffic with known attack patterns. Model parameters are tuned to account for the specific network infrastructure of the organization.

Example metric: amount of traffic sent to an unknown IP address.

Applying AI to Identify Complex Attacks

New-Scale Fusion uses Artificial Intelligence to correlate anomalies detected by various behavior models to detect complex attacks consisting of multiple stages. AI helps to combine disparate events into a single picture of the attack, allowing security analysts to respond to threats faster and more effectively.

Detection of Account Compromise

New-Scale Fusion can detect instances of account compromise by correlating the following anomalies:

• Unusual logins from new geographic locations.
• Attempts to access resources that the user does not typically access.
• Increased amount of data transmitted and received by the user.
• Password change of the account.

AI uses rule-based knowledge about attacks, as well as machine learning algorithms to identify suspicious behavioral patterns indicating account compromise.

Detection of Insider Threats

New-Scale Fusion can detect insider threats by correlating the following anomalies:

• Unusual access to sensitive data.
• Copying large amounts of data to external media.
• Attempts to bypass security systems.
• Network activity indicating a connection with external attackers.

AI uses user behavior modeling and social network analysis to identify employees who may pose a threat to the organization.

Detection of the Cyber Attack Kill Chain

New-Scale Fusion uses AI to track the cyberattack kill chain, consisting of several stages:

1. Reconnaissance: the attacker gathers information about the target organization.
2. Weaponization: the attacker develops or acquires malware.
3. Delivery: the attacker delivers malware to the target organization.
4. Exploitation: the attacker uses malware to gain access to the system.
5. Installation: the attacker installs malware on the target system.
6. Command and Control: the attacker gains remote access to the target system.
7. Action: the attacker steals data or disrupts the system.

AI analyzes security events related to each stage of the cyberattack kill chain and identifies patterns indicating an active attack.

Incident Investigation and Response

New-Scale Fusion provides security analysts with the information needed to quickly investigate incidents. The system visualizes anomalies and the relationships between them, allowing analysts to quickly understand the cause and scope of the incident. New-Scale Fusion also allows you to automate incident response actions, such as blocking accounts, isolating hosts, and running malware scans.

Visualization of Anomalies and Relationships

The system provides interactive graphs and charts showing anomalies and the relationships between them. Analysts can use these visualizations to identify suspicious patterns of behavior and prioritize incidents.

Automation of Incident Response

New-Scale Fusion allows you to automate incident response actions, such as:

• Blocking accounts.
• Isolating hosts.
• Running malware scans.
• Notifying stakeholders.

Automating incident response reduces downtime and minimizes damage from attacks.

Benefits of New-Scale Fusion for Behavioral Analysis

New-Scale Fusion offers a number of technical benefits for behavioral analysis:

High Accuracy of Anomaly Detection

The system uses advanced machine learning and artificial intelligence algorithms to identify anomalies with high accuracy.

Minimizing False Positives

New-Scale Fusion uses adaptive behavioral models that are constantly trained and adapt to changes in the behavior of users and entities. This minimizes false positives and reduces the burden on security analysts.

Automation of Incident Investigation

The system provides security analysts with the information needed to quickly investigate incidents and allows them to automate incident response actions.

Scalability of the Solution

New-Scale Fusion provides horizontal scaling, allowing you to process large amounts of data and support a growing number of users and entities.

Real-world practice example: Company N reduced incident investigation time by 70% thanks to the automation of processes in New-Scale Fusion.

Conclusion

New-Scale Fusion is a powerful solution for behavioral analysis, using machine learning and artificial intelligence to identify complex cyber threats. The system integrates with a wide range of data sources, uses advanced behavioral models, and allows you to automate incident investigation and response. The use of machine learning and artificial intelligence is becoming a necessary condition for protection against modern attacker techniques and tactics aimed at introducing anomalous traffic into the networks of organizations.