Algorithms, Alerts, and Akamai Threat Intelligence

Let me start by posing a question: If in one week security solution A produces 120 alerts and security solution B produces 45 alerts, which solution is providing you with more effective protection? The answer is: It depends.

On the face of it, solution A appears to be more effective because it’s delivering more alerts than solution B. But what if solution A is actually delivering a considerable number of alerts that don’t represent a real security risk to the organization, or in other words, are false positive alerts?

False positive alerts are the bane of security professionals for a number of reasons. I recently wrote a blog post about the security skills shortage and what is clear from research for that article is that there are few, if any, security professionals who are shooting popcorn and waiting for the phone to ring. The security professionals I know are always busy with far too many urgent tasks and projects on their plates.

With that backdrop, time taken to analyze and investigate false positive alerts is time taken away from investigating real alerts, meaning authentic threats are missed entirely or not investigated before they have a negative impact. Additionally, determining if an alert is a false positive takes a considerable amount of expertise; this determination usually falls on the most experienced members of the security engineering team.

“Time not spent validating a false alarm from a security tool is time we can spend on other operations, such as actively looking for adversaries [who are] testing boundaries, rather than just reacting to what has already hit,” says Keith Hillis, Director of Enterprise IT Risk and Security at Akamai.

A knock on effect of this is that a system producing a high level of false positives typically requires significant effort to be spent fine tuning rules and signatures in an attempt to reduce that false positive rate. Again, this can be a time-consuming and complex operation.

Finally, imagine a situation where one security product is alerting that a compromised endpoint is making command and control (CnC) callbacks to a server. However, no other security tools are flagging this as an alert, and when the machine is investigated, it’s completely clean. Security teams might start to lose trust in this solution and assume all alerts are false, leading to complacency.

Threat Intelligence at Akamai

As Akamai’s Enterprise Security Research team was evaluating how it could deliver additional customer value through threat intelligence, a fundamental component of the Enterprise Threat Protector service, they repeatedly heard from customers that delivering a low rate of false positive alerts was critical.

With that as an overarching objective, every aspect of the work that the Enterprise Security Research team has undertaken — evaluating additional threat data sources, researching new methodologies for data manipulation, developing proprietary algorithms to quickly identify new malicious behavior, and validating results –is focused on delivering high-quality threat intelligence with an exceptionally low rate of false positives.

So, how has the Enterprise Security Research team achieved this goal?

Visibility is Key

The process of delivering high-quality threat intelligence starts with the raw data. Because of its global intelligent platform, Akamai has an unprecedented view of the internet. The platform handles up to 30% of the world’s Web traffic and Akamai’s AnswerX recursive DNS service resolves 150 billion DNS queries every day. And with the recent acquisition of Nominum, the number of DNS queries being resolved by Akamai will soon be 1.7 trillion daily. This visibility into both web and DNS traffic makes for an exceptionally powerful data set.

That data set is then augmented by a number of external threat feeds that are typically licensed from other security partners. The team continuously assesses new threat feeds, and the process they use to check the efficacy of new lists is extremely rigorous; all of the feeds consumed by Akamai’s threat intelligence are curated and evaluated for accuracy and coverage of real threats.

The final piece of the data set is public data such as WHOIS and Registrar Information. That public information is extremely valuable in detecting newly registered domains that might have been created for malicious use. This data is also used extensively during the validation stage.

The combined data set is then analyzed using advanced, real-time behavioral analysis and proprietary algorithms. To help identify threats that are difficult to detect using automation alone, the data is further enhanced via review by Akamai’s dedicated Enterprise Security Research team.

Proprietary Algorithms & Low False Positive Rates

As noted earlier, developing proprietary algorithms to enhance Akamai’s threat intelligence and quickly detect new threats is a key aspect of the Enterprise Security Research team’s work. The team has developed a number of algorithms that take advantage of the large data volumes that are at Akamai’s disposal.

Most recently, the team developed a new algorithm to detect low throughput DNS data exfiltration in partnership with the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev. Together, investigators conducted advanced research into how to improve the efficacy of DNS tunneling detections and, in particular, how to reduce the number of false positive alerts. This research provided the foundation for the development of the aforementioned new algorithm that will help to protect against DNS tunneling threats.

Although DNS data exfiltration has been investigated for around ten years, the accurate detection of this threat has been made increasingly difficult because many legitimate applications and services, such as anti-virus programs, use DNS tunneling. This can often lead to high rates of false positive security alerts.

Current, Relevant Threats & Reducing False Positives

The volume and complexity of threats continue to rise exponentially. However, the vast majority of threats are short lived and transitory in nature. This is because the threat is often quickly mitigated by security vendors, threat infrastructure such as malicious domains and CnC servers are promptly shut down by service providers, or the threat domains are swiftly taken over by the security community. The window for identifying and tracking the threat, and pinpointing the source is small.

Based on the extensive research undertaken by Akamai’s team, continuing to include domains that no longer represent an active risk to a company in threat intelligence feeds will dramatically increase the number of false positive alerts that a security team has to deal with.

For example, including a domain in the threat list when:

  • the domain is either no longer registered or does not resolve will create a security alert if there is a request made to that domain.
  • the domain was first identified as being malicious say five years ago will create a security alert if there is a request made to that domain.

The Enterprise Security Research team uses a large number of techniques and approaches to ensure that its threat intelligence accurately represents current and relevant threats. At a high level these include:

  • Threat Relevancy – If a domain/URL is the result of old Indicators of Compromise (IOCs), it is not included in Akamai’s threat intelligence lists.
  • Threat Popularity – If a domain/URL is highly popular, meaning it is probably a compromised website that contains malicious data, it is included in Akamai’s threat intelligence lists, but marked as suspect.

Case Study

In a recent customer product evaluation, the Enterprise Security Research team was able to investigate the alerts produced by a competitor’s security product. These alerts were from an evaluation using live traffic during a week’s duration and not based on using a list of malicious domains.

Of the 107 alerts that the system raised:

  • 28 (26%) of the domains were not registered/not resolvable
  • 47 (47%) of the domains were old, so represented close to zero risk
  • 25 (24%) of the domains were true false positives
  • 7 (6.5%) of the alerts were current/real

The net result: An already taxed security team would waste significant and valuable time and expertise investigating alerts that were, for the most part, false positives.

Conclusion

High-quality threat intelligence with an exceptionally low rate of false positives is imperative for productivity, efficiency, and security. But does Akamai’s Enterprise Threat Protector service execute on this as advertised? Simply turn the service on and see what malicious traffic it detects on your network with an Akamai Health Check.

 In a nutshell, this program allows you to quickly activate a free, 90-day trial of Enterprise Threat Protector on your network. At the end of the Health Check, we will provide you with a report and walk you through what the service has detected.

To find out more about the Akamai Health Check program, visit akamai.com/healthcheck

 



This is a Security Bloggers Network syndicated blog post authored by Jim Black. Read the original post at: The Akamai Blog