Federal Public Safety Agency Speeds Cyberattack Identification
Federal and government agencies face staggering volumes of data and ever-evolving cybersecurity threats, which often overwhelm analysts and stifle their ability to accurately and quickly identify new tactics, techniques, and procedures (TTPs) as the pace of threats evolve. In the industry, there is a lack of tools and expertise to handle large data volumes, along with major cost restraints or hesitancy to bring in new tools. One Federal Public Safety Agency had to make a change for several reasons:
- There was a chance of mission failure without the right insights and data tools.
- A security-first mindsight required the agency to do more with less.
- The current tool configuration was not meeting the agency's needs.
To help address these growing concerns, the agency turned to TIBCO Silver Partner SkyePoint Decisions for the latest security technology.
SkyePoint established a strong partnership with TIBCO based on its market-leading capabilities and coverage across the data management and data visualization space. A combination of the brushed and linked visual analytics capabilities of TIBCO Spotfire software, the breadth of data source connectivity provided by TIBCO Data Virtualization software, and the flexibility to add custom Python-based ML models made TIBCO the top choice for SkyePoint.
Using TIBCO Data Virtualization and Spotfire capabilities, SkyePoint created the “Threat Predict” platform, designed to be a force multiplier for security teams. The platform offers analysts better data and intelligence for use in cyber events and incident response, helping them get in front of new and evolving threats. While Threat Predict offers a new tool to the agency, it also brings the domain and cyber expertise that meets and exceeds industry needs. The solution's multiple capabilities bring innovation that’s backed by data and cyber qualifications.
To implement Threat Predict, SkyePoint used a three-step phased approach:
- The company installed TIBCO data management and advanced analytics software, established connections to data sources, and developed and trained the initial machine learning (ML) models. SkyePoint used the CRISPDM process with the agency to facilitate a bi-directional understanding of data and capabilities.
- SkyePoint then began ingesting real-time data into the Threat Predict solution and observing the unsupervised ML models' predictive analytics capabilities. During this phase, the partner adjusted its out-of-the-box visualizations and created tailored visualizations to understand the data better and support risk decisions.
- SkyePoint implemented a "tag and learn" approach and applied a risk management accelerator. With this accelerator, the team applied labels to the data based on identified anomalies that retrain unsupervised ML models and train new supervised models. During this phase, the partner and agency discussed possible integrations with RPA, SOAR, and ticketing systems.
The solution is solving complex industry needs. For example, security operations (SOC) center monitoring teams experience constraints in log data identification if teams like Threat Intel, Cyber Hunt, or Vulnerability Management have not identified and created action alerts for events. With the variation and volume of logs and events, security teams face the difficult task of understanding what normal looks like. Without the platform, SOC analysts can only see and respond to the last known TTP.
SkyePoint's approach enables the federal agency to detect and respond to events that are "unknown," whereas most security information and event management (SIEM) solutions require a signature or "indicator of compromise" to be known and configured before detections can be made. Threat Predict limits constraints in log identification and enables the team to identify and prevent future threats that demand new capabilities and resources, rather than remaining one step behind threats or vulnerabilities.
The agency's new Threat Predict solution can handle larger amounts of data and support increases in data volumes. Without it, the agency simply wouldn’t be able to handle all its data or connect all its data sources to get an accurate and comprehensive view of potential threats. Additionally, the platform moves the agency toward a zero-trust security framework, which is critical in an ever-evolving cyber landscape.
The federal agency's initial deployment indicates that by using an unsupervised ML model to baseline the log data and provide an understanding of the environment, the anomalies that arise from that baseline can predict anomalous events in the environment without overwhelming security analysts.
As a result of Threat Predict's deployment, the time to detect new anomalous events has been cut from one month to just four hours, massively reducing cyber risks for the agency. Additionally, the joint solution doubles the volume of log data available for analysis, from 2 TB to 4, providing valuable additional context for faster, smarter risk decisions. The agency also anticipates it will achieve a 30 percent increase in SOC analysis productivity by reducing the signal-to-noise ratio in security log data.
For SkyePoint, its partnership with TIBCO enables it to bring creative and innovative solutions, such as Threat Predict, to joint customers. According to Frank Sturek, president at Skyepoint, "TIBCO enables SkyePoint to leverage artificial intelligence and machine learning to deliver a capability we call Threat Predict to help protect America and strengthen national security by delivering advanced threat detection and response."