OMB Individually Reported

Critical Infrastructure Network Anomaly Detection

Low riskExact public inventory row

Description

CyberSentry currently ingests hundreds of terabytes of data from Critical Infrastructure Partners every single day. At petabyte-scale over all collected network data, CyberSentry required a way to filter through the noise to be able to detect Advanced Persistent Threat (APT) and Nation State malicious activity happening within our Partners' networks. CyberSentry has developed numerous machine learning-based detections to identify trends, patterns, and anomalies in network data that ultimately result in both automated and manual triage by analysts.

Detailed example

An interface is provided for analysts to query cybersecurity data, and dashboards are provided with potential cybersecurity alerts, including anomalies detected through predictive models and rule-based heuristics.

AI / analytics pattern

Classical/Predictive Machine Learning: Models trained on data to make predictions or classifications based on identified patterns or relationships.

Automation level / stage

c) Deployed – The use case is being actively authorized or utilized to support the functions or mission of an agency.

Expected benefit

This use case delivers improved internal government tools for hunting and detection of malicious threat actors on critical infrastructure networks. It automates manual data fusion and correlation processes and highlights potential anomalies, allowing CISA analysts to focus more time on hunting adversaries.

Controls / human review

ATO: Yes; PIA: https://www.dhs.gov/publication/dhscisapia-037-cybersentry

Data needed

Cybersecurity cloud, network and host logs; Cybersecurity threat intelligence (CTI)