Inference vs. Prediction - Why does it Matter?
By:
Several cybersecurity companies today claim that their solutions include predictive threat intelligence. In most cases, they are knowingly or unknowingly making a false claim. They infer relationships from known data rather than predicting something new. Is this bad? No, it’s great. Correlating threat data to draw connections and make intelligent conclusions is a solid and valuable technique that adds value to your threat intelligence. But it isn’t prediction. It’s inference. Sounds like we are splitting hairs, right? We aren’t, and there is a point to all this. So let’s discuss the difference between inference-based intel and true predictive threat intel and why the predictive intel is so unique and has such high value.
Known Bad vs. Unknown Bad – The Struggle Is Real
In inference-based modeling, the analysis starts with Known Bads, confirmed threats that have already been spotted in the wild and reported. Inference looks at these Known Bads to try to discern patterns that allow the algorithms to determine a relationship between threats. If the relationship is scored as highly probable, the system will flag these additional threats and recommend you block them. It’s a solid model that definitely extends protection. But it is still firmly rooted in the world of existing and identified threats. Inference can’t help with novel exploits or new threat vectors unless they are closely related to an existing threat.
Predictive threat intelligence is different in a very fundamental way. A genuinely predictive model works with raw data or unknowns unrelated to existing IOCs and creates meaning by looking for a combination of other signals. In the world of machine learning, we call this the difference between a positive class and a negative class. Inference relies on positive classes, whereas prediction relies on negative classes. For a quick real-world example, let’s look at spam filters. These rely on blocklists of known bad senders, reputation scores, and analysis of various telltales within the email itself to decide what to block, what to send to your spam folder and what to allow into your inbox. It may seem like a prediction, but it is pure inference. And I repeat, very useful and very intelligent.
How Does SecLytics Augur Predictive Threat Intelligence Work
Unlike the spam example above or the models used by many cybersecurity companies, our Augur platform makes true predictions. If you know a little about Augur, you might know that what Augur does (among other things) is identify cybercriminal infrastructure in the setup stage, on average 60 days before any attacks are launched. And it does this based on negative class information only.
Augur scours the internet daily, analyzing changes in the IP space (IPv4 and IPv6), domain name registrations, DNS resolution, and BGP announcements. Augur takes all the negative class data and leverages supervised and unsupervised learning to generate potential cybercriminal profiles, labels these profiles, and then attributes new infrastructure to these profiles.
In the unsupervised learning phase, Augur generates profiles and assigns them to potential cybercriminal and threat actor groups. Augur labels the generated profiles during the supervised learning phase and adds predicted threat category information. Turning Unknown Bad into Known Bad.
The Value of Predictive Threat Intelligence
The end product is unique, highly valuable data about imminent threats. This gives SOC teams using Augur a head start and allows them to proactively block threats before they are even detected and reported by other cybersecurity companies.
Of course, we can’t catch everything. Nobody can. That’s why we bundle over 120 other threat intel sources into our PDR solution to provide in-depth coverage. But our predictive threat intelligence on cybercriminal infrastructure is both unique and valuable. For example, we predicted important elements of the SolarWinds supply chain hack and the Colonial Pipelines ransomware attack well before any IOCs were reported – giving our clients proactive protection.
Those are just two examples of creating Known Bads from Unknown Bads. Augur generates thousands of unique predictions every week with a false positive rate of under 0.01%. That means you can block threats identified by Augur with a high degree of confidence. If your organization needs the best protection possible, your coverage is still incomplete without Augur.
Find Out How We Help Secure Your Perimeter
Augur, the industry’s only PDR platform, raises the bar by predicting attacks, attributing attacks, and adjusting your security posture to block threats before they get to your network. But you don’t have to take our word for it.
Take the Augur Challenge:
Step 1: We’ll collect, aggregate, and correlate your logs
Step 2: Within 72 hours, we will send you:
- A list of compromised hosts in your network
- A list of threat actors targeting your organization
- A checklist of IP ranges associated with these threat actors for you to block
Step 3: After 30 days, we’ll send you a full breakdown of how our predictions stacked up
Seeing is believing. After taking our challenge, we’re convinced that you’ll want to put the power of Augur’s predictive threat intelligence to work full time.