Officials in Livingston County, Mich., turned to a machine learning tool that can find anomalies in user and device behaviors without previous knowledge of what to look for.
To modernize cybersecurity for Livingston County, Mich., officials turned to a machine learning tool that can find anomalies in behaviors without previous knowledge of what to look for.
Darktrace’s Enterprise Immune System is powered by unsupervised machine learning, meaning county officials didn’t have to tell it what to watch out for using rules or signatures. Instead, they plugged it in and let it run for three weeks so that it could learn about the network’s typical behavior, establishing what’s called a “pattern of life.” Then when the system detects something out of the ordinary, an alert is issued in real time.
“A tool like this works best when it’s placed where it can see the traffic we’re most interested in,” county Deputy Chief Information Security Officer Paul Curylo said. “We placed it such that we can see traffic of interest traversing through our core as well as traffic traversing out to the internet.”
The county uses the tool in two main ways: to validate normal activity and to create behavioral models from analysis of every user and device that can be used for specific applications, such as compliance. Those models enable the aggregation of alerts and provide a scoring mechanism so that officials can understand linkages between behaviors, Curylo said. That’s when a human gets involved, reviewing the dashboard and deciding whether the problem is worth pursuing.
The dashboard is weighted so that higher-priority alerts are displayed with a darker red color. Users can click on an alert and see the models that have been breached, the clients involved and the traffic flows between them. Threat Visualizer, part of Enterprise Immune System, presents a 3-D visualization and lets users rotate and zoom in and out on that network of activity.
If we see “a connection to a rare external host, an exfil[tration] of large amounts of data, for instance, and connections with several internal hosts,” that indicates a critical issue that “we can actually focus our efforts on understanding,” Curylo said. “You’re not looking at the full network, and you’re not looking at lines of data. What you’re looking at is a visual representation of the lines of traffic flows.”
He can also punch an endpoint into Threat Visualizer to pull up all the devices communicating with that endpoint. Even if it hasn’t breached any models, users can look at the traffic flows and decide if they’re valid or not.
What’s more, officials can use the tool to go back in time to find out exactly when a problem arose. That’s important because when malware gets through, it doesn’t always detonate right away, county CIO Rich Malewicz said. “This allows us to go back in time and look at how it got in,” he said. “That’s the real value for me.”
The system has enabled greater efficiency for the cybersecurity team. Typically a county network like Livingston’s, with about 1,000 end users and about 4,500 endpoints, would require a staff of about 10 to 20 people to monitor and follow up on anomalies, but Livingston has just one person doing that.
As recently as last year, the county used mostly informal follow-up such as interviews with users to find out about their network activity when a cybersecurity problem was spotted. Unsurprisingly, officials found this strategy lacking.
“We tended to rely on our firewalls and our signature bases and our signature list systems, but you don’t get the root cause with that, and that’s where that gap was. It’s great that we stopped something, but how did it happen in the first place? We had no mechanism for that,” Malewicz said.
“We have plenty of tools already -- at the perimeter and of course defense-in-depth -- that provide us rules-based, signature-based detection of bad things,” Curylo said. “But what we don’t know are the things that we don’t know, and those are typically the things that blossom into big problems for organizations.”
But since deploying Darktrace’s solution last April, “it’s like a whole new security team here right now,” Malewicz said. “It’s making us more proactive instead of reactive.”
Looking forward, the county may add Darktrace’s Antigena product to its security suite. Antigena acts as a “digital antibody,” fighting back against cyber threats without affecting a network’s functions.
Meanwhile, Curylo said officials will expand the use of behavioral analytics as operational needs evolve. The county currently uses only one Darktrace sensor, but it may add more.
“This is both a strategic and a tactical tool,” he said. “This allows us to understand our environment to such a degree that when we see a business proposal to do something new and different -- say, cloud storage -- we’re able to talk more about the types of behaviors we already see on the network rather than take the fearful position of ‘Gee, if we take that, then we could have other kinds of problems that we don’t even know about.’”