Critical Infrastructure Network Anomaly Detection
Description
CyberSentry currently ingests hundreds of terabytes of data from Critical Infrastructure Partners every single day. At petabyte-scale over all collected network data, CyberSentry required a way to filter through the noise to be able to detect Advanced Persistent Threat (APT) and Nation State malicious activity happening within our Partners' networks. CyberSentry has developed numerous machine learning-based detections to identify trends, patterns, and anomalies in network data that ultimately result in both automated and manual triage by analysts.
Detailed example
An interface is provided for analysts to query cybersecurity data, and dashboards are provided with potential cybersecurity alerts, including anomalies detected through predictive models and rule-based heuristics.
AI / analytics pattern
Classical/Predictive Machine Learning: Models trained on data to make predictions or classifications based on identified patterns or relationships.
Automation level / stage
c) Deployed – The use case is being actively authorized or utilized to support the functions or mission of an agency.
Expected benefit
This use case delivers improved internal government tools for hunting and detection of malicious threat actors on critical infrastructure networks. It automates manual data fusion and correlation processes and highlights potential anomalies, allowing CISA analysts to focus more time on hunting adversaries.
Controls / human review
ATO: Yes; PIA: https://www.dhs.gov/publication/dhscisapia-037-cybersentry
Data needed
Cybersecurity cloud, network and host logs; Cybersecurity threat intelligence (CTI)