itb-au logo
Story image

5 ways to use data science to predict security issues - Forcepoint

21 Sep 2020

A key part of digital transformation and the move to digital services is data science. Data science enables people to respond to problems in a better way, and to also understand those problems in a way that would not have been possible 50 years ago.

But data science can be just a numbers game if it is not used to its full potential. Utilised properly, data science can help people and decisions to become ‘predictive’. In the case of cybersecurity, IT professionals may be able to predict bad events before they occur. Forcepoint’s Asia Pacific strategic business director Nick Savvides explains more.

“There is one thing that security teams, firewalls, antivirus programs, email protection, intrusion detection systems have in common – they’re all tasked with determining if an action or event is ‘good’ or ‘bad’. This is a classification problem, and one that has advanced over time.” Savvides says. 

Machine learning and artificial intelligence have been key to the data science revolution because they approach these classification problems in a way that can lead to predictive behaviour.

Here are five critical steps in applying data science to cybersecurity, and how they come together to create an action plan.

1.    Signals

Signals is another way of describing inputs such as data from applications and users.  “Obtain as many signals as you can from the things that you can control,” says Savvides. The more signals an organisation has, the easier it is to understand what’s going on.

Indicators of compromise (IoCs) are related to a particular security threat, which act as ‘fingerprints’ or traces that attackers leave behind. These can help businesses determine whether they have been – or may soon be – compromised.

“We can take those signals, apply data science and then say, ‘I predict that this IoC might be a risk to the organisation’. A system can then can automatically implement controls that stop an unwanted action before it happens.”

“A system can also take signals from devices and the cloud, analyse them, and form a predictive approach. It could go even further and integrate at the network layer – not just at the points where the user and data leaves, but also in the transit in between.”

Solutions based on the Secure Access Service Edge (SASE) architecture sit at the edge of the cloud between the user and the application data. SASE solutions can capture signals from the user, the machine, applications, internet connections, and connectivity. It’s a powerful way to use signals to shape prediction.

2.    Behaviour

Indicators of behaviour (IoBs) focus on events generated by users interacting with data and applications. They outline how a user or a threat behaves in an environment.  

By understanding how an employee or contractor typically behaves, it's possible to identify high-risk behaviour that could indicate a malicious insider or compromised account. These work in conjunction with signals to determine different behaviours from different actions.

3.    Context 

Context combines signals and behaviour to bring context to the data. A behaviour might not look suspicious, but what is the context of that behaviour?

“Something that might seem benign could actually be malicious, and vice versa. Context is important because otherwise, you won’t understand what a behaviour means," Savvides says.

Data science can provide context that can then be used for dynamic controls. Responses can learn from those controls to create a virtuous cycle of learning, making changes, observing changes, and learning again.

“The end goal is to prevent bad things from happening before they happen. By understanding context, security professionals can identify the risk and have the system react accordingly.”

4.    Automated action

Automation is an important step that frees security teams to focus on only important things.  Automation is scalable and it can take care of the majority of cases that need to be investigated. The key is to have the right solutions deployed to enable automation and remove the need for manual intervention.

5.    Response

After automated actions have investigated and triaged all threats, IT teams can focus on the top priorities for further investigation, response, and remediation if necessary.

How the five points all fit together

Savvides summarises, “Data science is used to collect signals and analyse them. It also helps to understand users’ actions and apply context to those behaviours. Automation is used to drive responses in a dynamic way that is a result of real-time changes in those signals and behaviours."

While organisations manage risk all the time, Savvides says that cybersecurity is still somewhat stuck in a ‘rules’ way of thinking. It requires a change of mindset from a rigid policy approach to one that is risk adaptive. 

“Often we think about policy violations, 'Is this a violation of policy? Was this rule broken?' Rules are great because they set a baseline. But what we are dealing with are security events that would fall outside of those rules and all the signatures.”

“Organisations still get hacked, even though they've got firewalls, proxies, and data loss prevention tools in place with thousands of rules. You need to understand what you’re trying to achieve; for example, predictive and preventative security rather than ‘rules’ to stop certain actions.”

How Forcepoint can help

Forcepoint democratises security beyond static rules-based policies and instead help enterprises better understand risks to make smarter and more targeted decisions.

Forcepoint combines data science applied in signals, behaviours and human psychology, and uses automation to enable any organisation to improve its security.

“We understand behaviour, insider threat risk, and we combine that with data loss prevention. We’re also introducing new product classes that are behaviour-aware, starting with dynamic data protection.”

But what about the future? The network edge will become more behaviour-aware with dynamic security controls. Forcepoint is building this into its existing and new products so it is ready to help organisations understand the new trend of behaviour-based networks.

To learn more about Forcepoint, visit

Story image
How 'data gravity' centres can spell trouble for enterprises
In the not-too-distant past, data was created in a much more centralised place, and users and systems had far less access to it. Now, with digital data from social, analytics, mobile, cloud, IoT and more being created with both simultaneity and omnipresence, so much information is being collected that it’s forming a ‘centre of gravity’.More
Story image
Dropbox goes 'Virtual First' as remote working becomes the new norm
Dropbox is investing in what it calls a ‘Virtual First’ working policy, which puts remote work front and centre of the company’s workforce culture.More
Story image
Sony announces bundled remote-learning solutions
It combines audio/video with edge computing capabilities for a contained package that precludes the need for major professional installation.More
Story image
Macquarie Data Centres 'tops out' Sydney IC3E data centre
The data centre, which has a stage one investment of AU$85 million, will generate 43 megawatts of power to support Australian businesses, including the Federal Government.More
Story image
Interview: How iText adapts to the evolution of open source & PDF
“We are unique in the way that we have not built in any limitations to the capabilities of our open source technology when compared to our commercial offering.”More
Story image
Microsoft, Verizon join forces to accelerate delivery of 5G applications
“By bringing together Verizon’s 5G network and on-site 5G Edge platform with Microsoft’s expertise in cloud services, we will enable the development of the next generation technologies everyone has been envisioning.”More