Reading Time: ~ 4 min.

As technology continues to evolve,
several trends are staying consistent. First, the volume of data is growing
exponentially. Second, human analysts can’t hope to keep up—there just aren’t
enough of them and they can’t work fast enough. Third, adversarial attacks that
target data are also on the rise.

Given these trends, it’s not
surprising that an increasing number of tech companies are building or implementing tools that promise automation and tout machine
learning and/or artificial intelligence, particularly in the realm of
cybersecurity. In this day and age, stopping threats effectively is nearly
impossible without some next-generation method of harnessing processing power
to bear the burden of analysis. That’s where the concept of a cybersecurity
platform built on threat intelligence comes in.

What is a platform?

When you bring together a
number of elements in a way that makes the whole greater or more powerful than
the sum of its parts, you have the beginnings of a platform. Think of it as an
architectural basis for building something greater on top. If built properly, a
good platform can support new elements that were never part of the original

With so many layers continually building on top of and alongside one another, you can imagine that a platform needs to be incredibly solid and strong. It has to be able to sustain and reinforce itself so it can support each new piece that is built onto or out of it. Let’s go over some of the traits that a well-architected threat intelligence platform needs

Scale and scalability

A strong platform needs to
be able to scale to meet demand for future growth of users, products,
functionality. Its size and processing power need to be proportional to the
usage needs. If a platform starts out too big too soon, then it’s too expensive
to maintain. But if it’s not big enough, then it won’t be able to handle the
burden its users impose. That, in turn, will affect the speed, performance,
service availability, and overall user experience relating to the platform.

You also need to consider
that usage fluctuates, not just over the years, but over different times of
day. The platform needs to be robust enough to load balance accordingly, as
users come online, go offline, increase and decrease demand, etc.

Modularity can’t be
forgotten, either. When you encounter a new type of threat, or just want to add
new functionality, you need to be able to plug that new capability into the
platform without disrupting existing services. You don’t want to have to worry
about rebuilding the whole thing each time you want to add or change a feature.
The platform has to be structured in such a way that it will be able to support
functionality you haven’t even thought of yet.

Sensing and connection

A threat intelligence platform
is really only as good as its data sources. To accurately detect and even predict
new security threats, a platform should be able to take data from a variety of sensors
and products, then process it through machine learning analysis and threat
intelligence engines.

Some of the more
traditional sensors are passive, or “honeypots” (i.e. devices that appear to
look open to attack, which collect and return threat telemetry when
compromised.) Unfortunately, attack methods are now so sophisticated that some
can detect the difference between a honeypot and a real-world endpoint, and can
adjust their behavior accordingly so as not to expose their methods to threat
researchers. For accurate, actionable threat intelligence, the platform needs
to gather real-world data from real-world endpoints in the wild.

One of the ways we, in
particular, ensure the quality of the data in the Webroot® Platform, is by
using each deployment of a Webroot product or service—across our home user,
business, and security and network vendor bases—to feed threat telemetry back
into the platform for analysis. That means each time a Webroot application is
installed on some type of endpoint, or a threat intelligence partner integrates
one of our services into a network or security solution, our platform gets
stronger and smarter.

Context and analysis

One of the most important
features a threat intelligence platform needs is largely invisible to end
users: contextual analysis. A strong platform should have the capacity to
analyze the relationships between numerous types of internet objects, such as
files, apps, URLs, IPs, etc., and determine the level of risk they pose.

It’s no longer enough to
determine if a given file is malicious or not. A sort of binary good/bad
determination really only gives us a linear view. For example, if a bad file
came from an otherwise benign domain that was hijacked temporarily, should we
now consider that domain bad? What about all the URLs associated with it, and
all the files they host?

For a more accurate picture, we need nuance. We must consider where the bad
file came from, which websites or domains it’s associated with and for how long,
which other files or applications it might be connected to, etc. It’s these
connections that give us a three-dimensional picture of the threat landscape,
and that’s what begins to enable predictive protection.

The Bottom Line

When faced with today’s cyberattacks,
consumers and organizations alike need cybersecurity solutions that leverage
accurate threat telemetry and real-time data from real endpoints and sensors.
They need threat intelligence that is continually re-analyzed for the greatest
accuracy, by machine learning models that are trained and retrained, which can
process data millions of times faster than human analysts, and with the
scalability to handle new threats as they emerge. The only way to achieve that
is with a comprehensive, integrated machine-learning based platform.

The post What Defines a Machine Learning-Based Threat Intelligence Platform? appeared first on Webroot Blog.