It can be hard for a CISO to dispose of a traditional technology and replace it with something new. But when done right it can pay dividends, Canadian municipal infosec workers have been told.

That was the experience at the city of Peterborough, Ont., which decided not to retire an aging system information and event management (SIEM) with a new or managed version of the technology but go a different route.

Nick Powers, IT security manager for city told the story at this week’s annual security conference of the Ontario branch of the Municipal Information Systems Association (MISA).

Nick Powers, City of Peterborough

The SIEM had served its purpose, Powers said. “We wanted it out sooner rather than later,” largely because it was taking up a lot of time to use – particularly to create rules to understand detections and then use information to react. “Paramount was … improving our incident response capability”

The IT department isn’t small – a staff of 25 – but is responsible for 900 workstations across the city, its utilities department and municipal police force. Powers is the only person responsible for security.

So finding a solution that is cost effective and eases the burden on staff was important.

The solution also had to fit within the IT security strategy, which had focused on protection (dual enterprise firewalls, anti-virus, and intrusion prevention) but at the cost of incident response. A managed SIEM was tempting, but ultimately not cost-effective.

An alternative that was intriguing was a network monitoring solution that uses machine learning. Among the advantages, Powers said, is the possibility of not having to spend time creating rules.

Machine learning “allows you to implement something that learns from traffic and behaviours across the network,” Powers said.

The department tried two threat detection appliances: Darktrace and Vectra Networks’ Cognito. It chose Vectra, supplemented by the open source Graylog log management tool.

With Cognito “we are simply spanning a port, and this technology relays all (data) analyzes it and alerts based on abnormal behaviour happening across the network,” Powers said.

The vendor generates behavior models that are automatically uploaded into a customers’ system, which and learns and looks for similar behaviour. If it can’t find a model that matches behaviour – such as a staffer’s machine going to a Web site it hasn’t done before — it creates a new model and flag. The administrator can then decide to create a rule allowing that behaviour.

These types of network based machine learning systems need to see all network traffic simultaneously, Powers warned. Fortunately, the city had consolidated what had been a flat architecture to a firewall in the core, so the appliance went between that and the internal network.

All it took was to plug the device into one port, plus another for maintenance. “We left it alone for a couple of days,” to learn, Power said, and that was it.

The appliance’s software creates a map with four quadrants to rate the threats of devices on the network, plotting “Threats” along the vertical axis and “ Certainty” along the horizontal. Alerts can be set up in any number of ways, Power said. In his case he wants to know only when the system is highly certain of the threat and the threat is extremely high – think of an incident in the upper right quadrant.

Clicking on an event allows an admin to drill down for information (the threat, the models that triggered the alert, what the machine was doing at the time). The appliance learns by holding and analyzing records of all device actions.

It’s only been six months in use but “it has dramatically improved our ability to quickly identify things that are potentially malicious in nature,” said Powers.

That included warning a machine was contacting a potentially malicious server in Russia. “Outside of that we were getting no alerts from any our other technology,” Powers said.

As for Graylog, while it doesn’t plug into Cognito the city still needed a log management solution after getting rid of the SIEM. Among the advantages, Powers said, is any logs sent to it can be customized and supplanted with ‘whois’ and geolocation information, which are then searchable.

Cognito “certainty has served us very well,” Powers said, “but there are some downsides as well.”

For any machine learning solution administrators have to rely on vendor’s algorithms defining what is a threat, he noted. “You have to have an understanding of what they’re doing, how they’re doing that and be comfortable with that.” And the solution does generate false positives, although Powers said they are not exactly false – for example a person may be legitimately uploading a lot of data to an outside site occasionally but legitimately, so the behavior is flagged. In that case the admin has to tell the system that behaviour for that device is permitted.

He emphasized that machine based learning network threat detection is not a silver bullet allowing administrators to throw everything else away and rely on it solely for incident response. It has to be part of an overall security strategy.

When Cognito spits out an alert he still has to look at the context and other data to understand what is happening. But, he said, “we are better positioned from incident detection and response than we were six months ago.

Machine learning – sometimes using the magic phrase “artificial intelligence” — is the hot security technology these days and is being implemented across a wide range of solutions. For example, a report released this week commissioned by vendor Cylance said 47 per cent respondents indicated their organization has already deployed machine learning technology for endpoint security either extensively or on a limited basis. But experts say it won’t create a single answer to cyber attacks.

In an interview Powers said one lesson for infosec pros is “be somewhat creative and think outside the box in terms of how you want to address your problems …there are many alternatives to achieve your goals.”

Despite the advantages of machine learning, defence in depth is still needed. “You have to be continuously moving and addressing changes in your environment, within the threat landscape, because we had all these layers of defence but the malicious activity at some level was hidden [the communications with the Russian server] until we put something in that identified it as abnomal. In some layers Web traffic going to “https” is normal, but if you look at it from a behaviour analytics perspective it might not be normal.”