FIC 2017: Threat detection powered by machine learning

On the occasion of the last cybercrime forum (FIC) held in Lille on January 24-25, we had the opportunity to meet with several players specializing in computer security. And in particular to discuss with them the latest means implemented to more effectively detect threats that have become as complex as they are formidable, including the latest generation of ransomware and cryptoware. “In 2000, we detected 5 viruses per day, compared to 20,000 in 2005 and 3 million in 2016,” said Laurent Heslault, director of security strategies at Symantec. In order to secure the IT infrastructures and the data of their customers, publishers, hosts and also cloud service providers are working hard. And among the technologies in which heavy investments have been made, we find in particular those in the areas of machine learning and behavioral detection of threats on networks. “We have reached the end of the heuristic model”, continues Laurent Heslault. “We are reaching a level of pathologies such that we can no longer work with the same detection technologies as before, implying the use of machine learning, artificial intelligence and big data technologies to meet new security challenges. . »

Concerning Symantec precisely, the publisher has integrated a solution for detecting threats by machine learning in its various ranges of workstation, server and gateway solutions in its latest SEP 14 offer. However, there is no question for the publisher of considering this technology as a substitute for the previous ones already employed such as heuristic analysis and the sandbox, but to make them work together with the sole objective of proactively detecting malicious files. “We can also rely on our 40-year-old malware base and cloud delivery of millions of malware signatures.” Symantec is obviously not the only one closely scrutinizing the security threats hanging over companies. This is also the case with Cisco, which has been firing on all cylinders in this area for two years, having invested no less than 5 billion dollars in this area in 4 years.

Chris Moret, Vice President Cybersecurity of Atos at FIC 2017. (credit: Dominique Filippone)

1 p.m. to analyze network behavior at Cisco

For two years, the American equipment manufacturer has also been working on machine learning technology to detect unusual behavior on the networks. But also to make decisions without human intervention: “We have been using Stillwatch for several years now and we are in POC in several countries, particularly in the finance, automotive and aeronautics sectors”, explained Alain Dubas, Sales Director Southern Europe for Cisco. “The whole issue is not knowing when companies will be attacked, but how long it will take them to realize that they have been attacked”. To analyze the network and know its behavior, Cisco explains that it does not require more than 13 hours. Its technology then makes it possible to detect more quickly that malware has infected part of a network in a given geographical area and automatically trigger the mechanisms to prevent it from spreading to other places. “Two servers that communicate with each other when they have never done so before will trigger an alert,” says Alain Dubas. “This will allow the delegation of low-level tasks to allow the company to respond to the shortage of specialists. »

Another example is that of the British publisher Darktrace (400 employees for 550 customers worldwide), which has developed a solution based on Bayesian algorithms and machine learning. Its originality? Focus on detecting internal and external threats by breaking rules and signatures. “Our Enterprise Immune System solution prevented information theft during a videoconference hack and a fingerprint scan”, told us Emmanuel Meriot, France director of Darktrace. “The trend is predictivity without rules or signatures, the solution is operational in one day so that employees no longer spend their time installing nets but focus on remediation. »

Stéphane Lesimple, head of the SOC & Abuse division at OVH.

A 1tbit/s attack that brought down a Minecraft server at OVH

In addition to publishers, hosts and cloud operators have also naturally taken up the issue of security. In France, this is particularly the case of Orange, which announced during the FIC the opening of its security operations center (SOC) in Lesquin near Lille, knowing that OVH is also far from being a novice in the matter. “We host 18 million sites on shared servers and we have set up detection and internal custom to look at the type of sending of e-mails and the diversion of services”, explained Stéphane Lesimple, head of the SOC & Abuse division at OVH. “DDoS have been around for years, but the last one that targeted one of the Minecraft servers hosted by us exceeded terabytes per second. We held on quite well, but the number of PIs was such that we couldn’t resist”, continues Stéphane Lesimple. In order to improve its SOC in France, but also in each country where it has a datacenter, OVH intends to
increase its security teams to more than 30 employees against around twenty today.

At Atos, the resources mobilized in security are also on the rise. Worldwide, the operator thus has an arsenal of 14 SOCs, including one in France, relying moreover on big data and artificial intelligence bricks. “About fifteen people are employed at the Atos SOC for development, in all this represents 500 people”, explained Chris Moret, vice-president cybersecurity of Atos. “The problem is finding enough analysts.” Over the year, Atos spent 300 million euros on security, an annual increase of 30%.

Note to readers: following the publication of this article, OVH provided the following clarification on January 31, 2017 at 3:22 p.m.: “DDoS have been around for years, but the last one that targeted one of the Minecraft servers hosted at OVH has exceeded the terabit per second. The automatic systems reacted well, the teams were reinforced on an ad hoc basis, and we faced the attack. »