by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : January and February 2017
case study CYBERSECURITY BY STEPHANIE KANOWITZ Darktrace’s Enterprise Immune System uses 3-D visualization and automated analysis to give insight into network activity Machine learning tool helps county detect cyber risks To modernize cybersecurity in Livingston County, Mich., officials turned to a machine learning tool that can find anomalies in behaviors without previous knowl- edge of what to look for. Darktrace’s Enterprise Immune System is powered by unsuper- vised machine learning, mean- ing county officials didn’t have to use rules or signatures to tell the system what to do. Instead, they plugged it in and let it run for three weeks so that it could learn about the network’s typi- cal behavior, establishing what’s called a “pattern of life.” Then when the system detects some- thing out of the ordinary, it is- sues an alert. “A tool like this works best when it’s placed where it can see the traffic we’re most interested in,” said Paul Curylo, the coun- ty’s deputy chief information se- curity officer. “We placed it such that we can see traffic of interest travers- ing through our core as well as traffic traversing out to the internet.” The county uses the tool in two main ways: to validate normal activ- ity and to create behavioral models from analyses of every user and ev- ery device that can be used for spe- cific applications, such as compliance. Those models enable the aggregation of alerts and provide a scoring mecha- nism so that officials can understand linkages between behaviors, Curylo said. That’s when a person gets in- volved to review the dashboard and decide whether the problem is worth pursuing. The dashboard is weighted so that higher-priority alerts are displayed with a darker red color. Administra- tors can click on an alert and see the models that have been breached, the clients involved and the traffic flows between them. Threat Visualizer, part of Enterprise Immune System, pres- ents a 3-D visualization and lets users rotate and zoom in and out on that network activity. If we see “a connection to a rare external host, an [exfiltra- tion] of large amounts of data, for instance, and connections with several internal hosts,” it indicates a critical issue, and “we can actually focus our ef- forts on understanding [it],” Cu- rylo said. “You’re not looking at the full network, and you’re not looking at lines of data. What you’re looking at is a visual rep- resentation of the lines of traffic flows.” He can also enter an endpoint into Threat Visualizer to pull up all the devices communicat- ing with that endpoint. Even if there hasn’t been a breach, he can look at the traffic flows and decide whether they’re valid. What’s more, officials can use the tool to determine when a problem arose. That’s important because when Since deploying Darktrace’s solution, “it’s like a whole new security team here right now. It’s making us more proactive instead of reactive.” – RICH MALEWICZ, CIO, LIVINGSTON COUNTY, MICH. 28 GCN JANUARY/FEBRUARY 2017 • GCN.COM 0217gcn_028-029.indd 28 1/31/17 1:52 PM
October and November 2016