Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Early Threat Detection
  Detect cyber threats early in the attack lifecycle to prevent adversary breakout
  
  Identity Threat Detection & Response
  Detect identity threats with precision and protect the identity architecture
  
  OT Security
  Protect OT environments from cyber threats with an easy-to-deploy and non-intrusive solution
  
  Red Teaming
  Strengthen defenses to detect red team activities
  
  Threat Hunting
  Active threat hunting to confirm latent threats and gain visibility to attacker TTPs
  
  Ransomware
  AI-driven deception to protect against known and zero-day ransomware variants
  
  Honeytokens for CrowdStrike
  Enterprise-scale honeytokens to protect against current and evolving identity threats
  
  Active Directory Protection
  Visibility to AD attack surface and detection of AD attacks
  
  Zero Trust
  Advance Zero Trust maturity through improved cyber visibility
  
  Insider Threats
  Unmask hidden dangers. Cyber deception for high-fidelity insider threat detection
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
  
  Financial Services
  Transform Financial Cybersecurity with Innovative Cyber Deception and Active Defense
  
  Healthcare
  Active defense solutions thwart healthcare attacks before they can inflict real damage.
Resources
Partners
Company

Understanding Anomalous Behavior and Malicious Intent

by Team Acalvio | September 06, 2020

Malicious behavior: we generally know it when we see it

Most of the time, unfortunately, malicious behavior is hidden from view. Consider that the average dwell time for cyberattackers within networks is still measured in months. Per FireEye, the global median dwell time in 2018 was 78 days, down from 101 days in 2017, but still far too long.

Malicious behavior may manifest itself as the discovery or use of software designed to gain access and to leverage or create vulnerabilities that can be used to further penetrate networks, endpoints, and servers; perform reconnaissance; gain authentication data; and ultimately exfiltrate sensitive information or damage ongoing enterprise operations. Alternatively, it may manifest itself through the more subtle activities of malicious insiders.

How can we detect malicious behavior more rapidly and reduce dwell time, thereby reducing the risk of a successful data breach?

There are several technologies in play that are used today in networks. This includes network threat detection using unsupervised machine learning, supervised machine learning, and deception technology. Deception technology also integrates machine learning where it provides an advantage to analysis and discovery.

Supervised machine learning

Supervised machine learning is an important technology used in cybersecurity, often for network threat detection. Algorithms such as supervised neural nets, Bayesian networks, k-nearest neighbors, and other variants are commonly used. Supervised machine learning is a type of machine learning where automation learns how to classify activity based on examples of behavior that produce a recognized output value. Supervised machine learning algorithms use training data to help establish the boundaries of classification. Inside of the boundary may be deemed as normal and hence acceptable behavior. Outside is anomalous behavior. If you pull the requirements too tightly with your training data, the amount of apparent anomalous behavior increases substantially. If you loosen the training requirements, almost nothing will appear anomalous. You can see how one moment, in one scenario, anomalous behavior which is truly valid might appear malicious, while malicious behavior might not show as anomalous at all.

Unsupervised machine learning

Unsupervised machine learning is another important technology used in cybersecurity. Algorithms commonly used for unsupervised machine learning include k-means, c-means, self-organizing maps (SOM), and one-class support vector machines. Unsupervised machine learning, simply put, doesn’t require training data. The key assumption of unsupervised machine learning is that the bulk of existing behavior is normal, which thereby segregates infrequent and statistically uncommon activity as suspect and possibly malicious. In this case, an infrequent but valid user activity may be flagged as statistically anomalous, while pre-existing network threats might inadvertently be missed when unsupervised machine learning is set-up. These undetected threats often arise in markets like health care, manufacturing, and financial and banking networks. Statistical sensitivity can be adjusted, but, in the final analysis, there must be a set boundary condition, just as there was in supervised machine learning. On one side, what appears to be non-anomalous behavior can be malicious, and vice versa.

Acalvio ShadowPlex Core Technology

Acalvio ShadowPlex core technology is not conditional, statistical, or probabilistic. The detection is absolute and 100 percent certain. We integrate machine learning but temper our use with absolute adherence to our core policy alignment: nothing, absolutely nothing, should be engaging with our decoys at any time.

As we have seen, not all malicious behavior within your networks will stand out as anomalous. In counterpoint, not all anomalous behavior within your networks is necessarily malicious.

Deception technology focuses attention on those instances of behavior that are clearly in violation of process and immediately identifies these threats present within your network at virtually 100 percent certainty.
Deception technology provides virtually flawless detection to ensure that threats are rapidly identified and rapidly shut down.

Please talk to us about how deception technology is an important adjunct to your other security controls! We’d be pleased to introduce you to our latest technology and share information about how Acalvio ShadowPlex protects the most sensitive enterprise and government networks.